This guide shows you how to connect Azure Entra ID to Dify Enterprise Edition’s SCIM service for automatic member synchronization.

Set Up Your Azure Application

1. Create a New Application

In the Azure admin portal, go to Applications and click New application.

Select Create your own application, give it a name (e.g., “dify”), choose Integrate any other application you don’t find in the gallery (Non-gallery), then click Create.

2. Assign Users and Groups

From the application’s left menu, select Users and groups, then click Add user/group.

3. Set Up Provisioning

  1. In the left menu, go to Provision → Get started → Connect your application.

  1. Under Admin credentials, enter:
  • Tenant URL: Your SCIM endpoint URL
  • Secret token: Your SCIM authentication token

Get these values from Sync Members.

  1. Click Test Connection to verify your setup.

  2. If the test passes, click Save.

4. Configure Attribute Mappings

  1. On the provisioning page, click Mappings. You’ll see two default mappings:
  • Provision Microsoft Entra ID Users - for syncing users
  • Provision Microsoft Entra ID Groups - for syncing groups
  1. Click each mapping and keep only these attributes:
  • Provision Microsoft Entra ID Users
customappsso AttributeMicrosoft Entra ID Attribute
userNameuserPrincipalName
activeSwitch([IsSoftDeleted], , “False”, “True”, “True”, “False”)
displayNamedisplayName
  • Provision Microsoft Entra ID Groups
customappsso AttributeMicrosoft Entra ID Attribute
displayNamedisplayName
membersmembers

5. Start Provisioning

  1. Return to the main Provisioning page

  2. Under Settings, choose your sync scope:

  • “Sync only assigned users and groups” (best for selective sync)
  • “Sync all users and groups” (for organization-wide sync)

  1. Click Save
  2. Click Start provisioning

First-time sync can take 20 minutes to several hours, depending on your directory size.

6. Sync User Groups

To include groups in the sync:

  1. Create a group in Azure Entra ID
  2. In your Dify application, click Users and groups
  3. Add the groups you want to sync

Enable SCIM in Dify

Once Azure is configured:

  1. Go to the Dify admin dashboard
  2. Navigate to Members → click the menu button → Automatic synchronizationEnable

Sync isn’t instant. Azure controls the sync schedule. Check your provisioning logs in Azure for sync history.