You can automate user creation, updates, and deactivation in BoldSign by connecting Microsoft Entra ID to BoldSign using SCIM 2.0. Generate a SCIM Tenant URL and a secret token in BoldSign, create a non-gallery enterprise application in Entra ID, set provisioning mode to automatic, configure attribute mappings, and then start provisioning. Entra ID will then sync changes to BoldSign on a regular cadence, about every 40 minutes.
- Best for: IT teams that want centralized onboarding/offboarding and consistent access control.
- Protocol: SCIM 2.0 (Microsoft Entra ID > BoldSign).
What SCIM Provisioning does in BoldSign
Once configured, Entra ID can automatically manage the full user lifecycle in BoldSign:
- Invites users to BoldSign via email when provisioned.
- Updates user profile information like names, job titles, phone numbers, and more as attributes change.
- Deactivates users in BoldSign when removed from Entra ID.
- Supports role-based access control using Entra ID app roles like Admin, Member, and TeamAdmin.
Reduce manual admin work and keep BoldSign aligned with your identity source of truth.
What you need before you start
- BoldSign plan: Business or higher
- BoldSign access: Account administrator
Set up Entra ID SCIM Provisioning
Entra ID provisions users into BoldSign automatically, including create, update, and deactivate functions.
Required access, credentials, and SCIM details before setup
- Access to the BoldSign admin dashboard
- Access to the Microsoft Entra Admin Center
- Your BoldSign tenant URL and SCIM secret token, which is generated in BoldSign
Part A: Generate the SCIM tenant URL and token in BoldSign
1. Log in to BoldSign, then go to Settings > Identity Management > User Provisioning.
2. Locate the tenant URL and select Generate Token.
3. Copy the token immediately and store it securely, as it is shown only once.
4. You can keep up to two active tokens, which is useful for rotation, and delete tokens to disable the associated SCIM endpoint.
After you leave the screen, the token is only visible as a hashed value. If you lose the token, generate a new one.
If you see a request to upgrade, note that provisioning requires a Business plan or higher, upgrade to enable the feature.
Part B: Create a non-gallery enterprise app in Microsoft Entra ID
1. In the Microsoft Entra Admin Portal, go to Enterprise Applications > New Application.
2. Select Create your own application and choose Integrate any other application you do not find in the gallery (Non-gallery).
3. Name it and select Create.
This app is the container Entra ID uses to run SCIM provisioning to BoldSign.
Part C: Connect Entra ID provisioning to BoldSign
1. Open the enterprise app, then go to Provisioning.
2. Set the Provisioning Mode to Automatic.
3. Paste the tenant URL and secret token you generated in BoldSign.
4. Select Test Connection, then Save if successful.
Part D: Configure attribute mapping
In the same Provisioning area, expand Mappings and:
- Disable group provisioning (not needed for BoldSign).
- Enable user provisioning.
- Set lifecycle actions to Create, Update, and Delete.
Recommended baseline mappings:
| Customappsso attribute | Microsoft Entra ID attribute | Matching precedence | Apply this | Mapping | Header |
|---|---|---|---|---|---|
| userName | userPrincipalName | 1 | Always | Direct | Mandatory |
| active | Switch([IsSoftDeleted], , “False”, “True”, “True”, “False”) | – | Always | Expression | Mandatory |
| title | jobTitle | – | Always | Direct | Mandatory |
| name.givenName | givenName | – | Always | Direct | Mandatory |
| name.familyName | surname | – | Always | Direct | Mandatory |
| phoneNumbers[type eq “mobile”].value | mobile | – | Always | Direct | Mandatory |
| roles[primary eq “True”].value | SingleAppRoleAssignment([appRoleAssignments]) | – | Always | Expression | Mandatory |
| urn:ietf:params:scim:schemas:extension:enterprise 2.0:User:department | department | – | Always | Direct | Mandatory |
| externalId | objectId | – | Always | Direct | Mandatory |
| emails[type eq “work”].value | – | Always | Direct | Mandatory |
Pro tip: Keep mappings minimal until provisioning is stable. Add additional attributes only if you have a clear downstream need.
Part E: Choose provisioning scope and notifications
1. Enable email notifications for provisioning failures so you can respond quickly.
2. Select a scope:
* Synchronize all users and groups with the default role as member.
* Synchronize only assigned users and groups, which lets you assign custom roles.
3. Select Save.
Start SCIM provisioning and initiate user sync to BoldSign
4. Go to the app’s Overview page.
5. Select Start Provisioning.
Entra ID syncs users to BoldSign about every 40 minutes.
Assign Role with RBAC
If you want Entra ID to assign BoldSign roles during provisioning, create app roles in Entra ID and map them through the roles SCIM attribute.
Create app roles in Entra ID
1. Go to App registrations > All applications and open your BoldSign provisioning app.
2. Go to App roles > Create app role and then create these roles: Admin, Member, TeamAdmin.
3. The value must match the display name exactly. It is case sensitive and should have no added spaces.
Assign users or groups to roles
1. Go to Users and groups > Add user/group.
2. Select the users and groups you want to provision and assign one of the roles.
3. If no role is selected, BoldSign assigns Member by default.
RBAC is optional, but it’s the cleanest way to align BoldSign access with Entra ID governance.
Provisioning behavior in BoldSign
- Runs approximately every 40 minutes.
- Sends invitation emails to users.
- Team assignment uses department:
- If the department matches an existing team, the user joins that team.
- If there is no matching team, a new team is created.
- If the department is empty, the user joins the Organization Admin team.
Deprovisioning and offboarding
- Deleted users are deactivated, not permanently removed.
- Documents must be manually reassigned in BoldSign after deactivation.
- If a user is deleted before accepting the invitation, the invite is canceled.
Troubleshooting: Common SCIM errors
If provisioning fails, BoldSign can email the admin with details.
| Issue | What it usually means | What to check first |
|---|---|---|
| User limit reached | Your BoldSign plan hit its user cap. | Increase seats or adjust provisioning scope. |
| Invalid secret token | The token in Entra ID is wrong or outdated. | Regenerate the token in BoldSign and update Entra ID. |
| Connectivity issues | Temporary network or sync errors prevented provisioning. | Retry later; review Entra provisioning logs. |
| User conflict | The user already exists in BoldSign or another org. | Resolve duplicate identity; confirm org membership. |
Conclusion and next steps
Integrating Microsoft Entra ID with BoldSign via SCIM 2.0 automates onboarding, updates, and offboarding, reducing manual admin work and strengthening governance. Once configured, Entra ID keeps BoldSign user access aligned with your identity system and syncs changes on an ongoing cadence.
Sign up for a free sandbox account.
We’d love to hear your thoughts! Drop a comment below or reach out via our support portal. Need a personalized walkthrough? Schedule a demo with our team today!
Related blogs
- Staying Safe from Modern Phishing Attacks: A Guide for BoldSign Users
- How BoldSign Users Can Stay Safe Online from Fraud and Email Scams
Note: This blog was originally published at boldsign.com
Top comments (0)