IT Admin10 min setup

Connect Azure AD / Entra ID to AI Vitals via SCIM

This guide walks your IT admin through connecting Microsoft Azure Active Directory (now called Microsoft Entra ID) to AI Vitals so that employees are automatically added and removed from the platform when their Azure account is activated or deactivated. No manual invite emails needed.

Microsoft renamed Azure Active Directory to Microsoft Entra ID in 2023. The screens may say either name depending on your tenant. The steps are identical.

Before you start — what you'll need

✓A SCIM token and SCIM Base URL — provided by your AI Vitals account manager or platform admin
✓Azure AD / Entra ID admin access (Global Administrator or Application Administrator role)
✓The AI Vitals Enterprise Application already created in Azure (or you'll create one during this guide)

Sign in to the Azure portal

Go to portal.azure.com and sign in with your administrator account.

Navigate to Enterprise Applications

In the search bar at the very top of the page, type Enterprise applicationsand click it in the results. Alternatively, click the hamburger menu (the three horizontal lines) in the top-left, then Azure Active Directory (or Microsoft Entra ID), then Enterprise applications in the left sidebar.

Open the AI Vitals application

Find and click on the AI Vitals enterprise application in your list.

If you haven't added it yet: click + New applicationat the top, search the gallery for “AI Vitals”. If it doesn't appear in the gallery, click Create your own application, name it “AI Vitals”, select Integrate any other application you don't find in the gallery, and click Create.

Open Provisioning settings

In the left sidebar of the AI Vitals application, click Provisioning.

Click the Get started button if you see it, or go straight to the Provisioning page.

Set Provisioning Mode to Automatic

Next to Provisioning Mode, change the dropdown from Manual to Automatic.

A section called Admin Credentials will appear below.

Enter your credentials

Fill in the two fields under Admin Credentials:

Tenant URL

https://your-domain.aivitals.io/api/scim/v2

Secret Token

(paste the token your AI Vitals admin gave you)

Click Test Connection. You should see a green banner saying “The supplied credentials are authorized to enable provisioning.”

If the test fails, check that you pasted the full token with no extra spaces and that the Tenant URL ends in /api/scim/v2 with no trailing slash.

Click Save at the top of the page.

Review Attribute Mappings (optional)

Scroll down to the Mappingssection. You'll see two entries — one for users, one for groups. Click on Provision Azure Active Directory Users.

The default mappings (email, name, active status) are correct for AI Vitals. You don't need to change anything here unless your IT team has a specific requirement.

Click the back arrow to return to the Provisioning overview.

Turn on Provisioning

At the top of the Provisioning page, find the Provisioning Status toggle. Switch it from Off to On.

Click Save.

Azure will now run an initial sync within 20–40 minutes. After that, it syncs automatically every 20–40 minutes.

Assign users or groups to AI Vitals

In the left sidebar, click Users and groups.

Click + Add user/groupat the top. Select the users or groups (e.g. “All Employees”) who should have access to AI Vitals, then click Assign.

We recommend assigning a group rather than individuals. New employees added to that group in Azure will automatically get AI Vitals access.

Verify the sync worked

In the Provisioning page, scroll down to Current cycle status to see the sync progress. After it completes, check the Provisioning logs(left sidebar) for any errors.

Ask your AI Vitals L&D Admin to go to Admin Panel → Users and confirm the assigned employees appear there.

The first sync can take up to 40 minutes. Subsequent syncs run every 20–40 minutes.

What happens when an employee leaves?

When you disable or delete an employee's account in Azure AD, AI Vitals is automatically notified on the next sync cycle (within 40 minutes). Their sessions are revoked and they can no longer sign in. Their assessment history is retained for compliance purposes. You don't need to take any action in AI Vitals.

Troubleshooting

"Test Connection" fails with an authorization error

The token was likely not copied correctly, or it has been revoked. Ask your AI Vitals admin to generate a new token and try again.

Provisioning is on but no users have appeared in AI Vitals

Check that users are actually assigned to the AI Vitals application (Users and groups tab). Also check the Provisioning logs for specific errors — look for any row marked "Failure".

Provisioning logs show a 404 error

The Tenant URL is incorrect. Confirm the exact URL with your AI Vitals admin. It should end in /api/scim/v2 with no trailing slash.

Provisioning logs show a 403 error

The Secret Token is not being accepted. It may have been revoked or entered incorrectly. Ask your AI Vitals admin to generate a new token.

A departed employee still has access after being disabled in Azure

Azure syncs every 20–40 minutes. If it has been more than an hour, check the Provisioning logs for errors. You can also manually trigger a sync by clicking "Provision on demand" in the Azure Provisioning page.

← Connect Okta instead Back to all guides →