Brex and Microsoft Entra ID (Azure) SCIM

Overview

PremiumEnterpriseSmart card

A System for Cross-domain Identity Management (SCIM) is an integration that helps you automate user access for your company’s Brex account. You can use it to provision Brex user accounts for your employees after you’ve added them to your Microsoft Entra ID instance or to disable users after you’ve removed them from Microsoft Entra ID.

Microsoft Entra ID setup

You can connect a Microsoft Entra ID SCIM account to your Brex account by following these steps: Note: Step 1 is optional. If you’d prefer not to set up your Microsoft Entra ID SAML SSO, skip to Step 2. However, if you want to configure both Microsoft Entra ID SSO and SCIM, make sure you complete the steps in the following order. Step 1: Set up the Microsoft Entra ID SAML SSO for your account by following the steps in this help article. Step 2: Go to the Applications > Enterprise applications page in your Microsoft Entra ID admin dashboard. Step 3: Click New application to create a new SCIM application. Step 4: Click Create your own application.

Step 5: Enter a name for your application, choose Integrate any other application you don’t find in the gallery (Non-gallery), and click Create.

Step 6: Click on Provisioning.

Step 7: Under Manage, select Provisioning. Enter your SCIM API credentials (these will be sent to you via a secure document from our team) and click Test Connection to confirm the settings are correct. Click Save.

Step 8: Manage your user’s mappings by selecting Provision Microsoft Entra ID Users.

Step 9: Set the userName to the mail Entra ID attribute so that the email identifier is used for the profile instead of the userPrincipalName. Without changing this, we cannot match the users in your Brex account. Click Ok and then Save.

Attributes map to Brex as follows:

• Department: This maps to the department attribute in Brex.
• Cost Center: This maps to the cost center attribute in Brex. Entra ID does not map this by default.
• Division: This attribute maps to the legal entity in Brex with exact name match. Entra ID does not map this by default.
  • Note: We expect legal entities to already exist in Brex before you can map employees to them. You can create legal entities from the Brex dashboard.
• Manager value: This attribute maps to the manager email in Brex. For manager import, make sure to map the manager’s ID reference to the manager value.
• Country: This attribute maps to the location attribute in Brex by default.
  • Any other value can be supplied as the location attribute in Brex by providing a custom profile mapping in Entra ID

Step 10: To map the manager, edit the attribute list for the application and add a new reference attribute urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager.value that has a referenced object attribute of urn:ietf:params:scim:schemas:extension:enterprise:2.0:User.id.

You’ve now integrated Entra ID SCIM with your Brex account. To test your setup, assign the SCIM app to an Entra ID user and verify that the user is provisioned in the Teams page of your Brex dashboard.