Skip to main content

Navigation

Catalogue

Security Awareness Privacy & Compliance AI & LLM Security Real-World Incidents
Application Security Soon
API Security Soon
Cloud Security Soon

Features

Interactive 3D Training SCORM Cloud LMS Human Risk Score Risk-Based Automation All features

Simulations

Phishing Simulations Smishing Simulations
Vishing Simulations Soon

Company

Partners About Us Blog Data Sheet PDF

Legal

Security & Compliance Privacy Policy Terms of Service
English Українська
Book a Demo
Microsoft Entra ID

Configure SCIM provisioning with Microsoft Entra ID

Let Entra ID create, update, and deactivate RansomLeak learner accounts automatically. New hires get training access on day one; leavers lose it the moment they are offboarded.

Last updated June 2026

Prerequisites

  • A RansomLeak tenant with admin access
  • The "Manage Integrations" permission
  • Entra ID P1 and the Application Administrator role

Your tenant is reachable at https://<your-subdomain>.ransomleak.com. Replace <your-subdomain> with your own subdomain throughout this guide. Automatic provisioning requires a Microsoft Entra ID P1 license or higher.

Provisioning is configured on the same enterprise application as SSO. If you have not set up SSO yet, create the application first using the SAML SSO guide, then return here. Provisioning also works on its own without SSO.

Supported features

  • Create users
  • Update user attributes
  • Deactivate users
  • Group provisioning (groups map to roles)
  • Team & manager sync

RansomLeak deactivates users with a SCIM active: false update rather than a hard delete, so a learner's history is preserved when they are offboarded. Entra ID sends each user's directory object ID as externalId, which RansomLeak stores as the stable account anchor.

Get your SCIM credentials in RansomLeak

  1. Sign in to https://<your-subdomain>.ransomleak.com as a tenant admin.

  2. Go to Admin → Tenant Settings → SCIM provisioning.

  3. Click Generate token. RansomLeak shows your base URL and bearer token:

    Base URL https://<subdomain>.ransomleak.com/scim/v2

  4. Copy the token now, it is shown only once. Generating a new token invalidates the previous one. Store it securely; you will paste it into Entra ID next.

Configure Entra ID

  1. Open your RansomLeak enterprise application in the Microsoft Entra admin center and go to Provisioning → Get started. Set Provisioning Mode to Automatic.

  2. Under Admin Credentials, enter:

    Tenant URL https://<subdomain>.ransomleak.com/scim/v2
    Secret Token <token-from-RansomLeak>

  3. Click Test Connection. When it succeeds, select Save.

  4. Open Settings, set Scope to Sync only assigned users and groups, then set Provisioning Status to On and save.

  5. Assign users or groups under Users and groups. Entra ID provisions them into RansomLeak on its sync cycle.

Entra ID runs provisioning on a cycle. The first sync can take up to 40 minutes; later changes sync within roughly 40 minutes. Use Provision on demand to push a single user immediately while you test.

Attribute mapping

Entra ID ships a default SCIM mapping that already covers the core fields. Keep the defaults, with one adjustment: map the user's email to userName so provisioning and SSO resolve to the same account.

Core attributes

Entra attribute SCIM attribute Populates in RansomLeak
mailuserNameEmail / login
mailemails[type eq "work"].valueEmail
givenNamename.givenNameFirst name
surnamename.familyNameLast name
displayNamedisplayNameDisplay name
objectIdexternalIdStable external ID

Set userName to mail. Entra's default maps userPrincipalName to userName. If your UPN differs from the user's email, change the userName mapping to mail so the SCIM account matches the email-based Name ID used at sign-in.

Teams, managers, and job titles

RansomLeak reads the standard SCIM enterprise extension (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User) to populate job titles, teams, and the reporting line. Add these mappings to power team-based and manager-based reporting.

Entra attribute SCIM attribute Populates in RansomLeak
jobTitletitleJob title
department …:enterprise:2.0:User:department Team (created automatically if the name is new)
manager …:enterprise:2.0:User:manager Reporting line, used to build your org hierarchy

RansomLeak creates a team from the department name when it does not exist yet, and links each user to their manager by external ID. If a manager is provisioned after their reports, RansomLeak backfills the reporting line automatically once the manager arrives.

Group provisioning

RansomLeak Groups correspond to tenant roles. Assign an Entra group to the application and keep group provisioning on; RansomLeak creates a matching role and assigns it to the group's members. Group create, update, and delete are all supported.

Troubleshooting

Symptom Fix
Test Connection fails Confirm the Tenant URL ends in /scim/v2 and the Secret Token is the exact token from RansomLeak. Entra adds the Bearer prefix for you.
401 after it previously worked The token was regenerated or revoked in RansomLeak. Generate a new one and update the Secret Token in Entra.
Provisioning entered quarantine Entra quarantines after repeated failures. Fix the credential or mapping, then use Restart provisioning.
User created with the wrong login Map userName to mail if your UPN differs from the user's email address.
Next guide Configure SAML SSO with Microsoft Entra ID Let your team sign in to RansomLeak with their Microsoft work accounts.

Need a hand?

Email support@ransomleak.com and we will help you connect Microsoft Entra ID to your tenant.

See RansomLeak in Action

Try the free exercises or book a demo to see analytics, SCORM export, SSO, and custom content in your environment.

Request Demo Try Free Exercises