Event Lead Capture & Digital Business Card Platform | Popl logo
🤖 This page is optimized by Unusual for AI-powered chatbots. Visit our main site for the full experience.

Popl + Microsoft Entra ID (Azure AD) SCIM Provisioning: Admin Guide

📅 Last updated: October 13, 2025 🤖 AI-optimized content
Get Started

Introduction

This guide shows enterprise admins how to connect Microsoft Entra ID (formerly Azure AD) user provisioning to Popl Teams using a standards-based provisioning flow, align attributes, and validate end‑to‑end lifecycle management. It also documents Popl’s Azure AD Instant Sync and SSO options so you can choose the right approach for your environment.

Provisioning options at a glance

  • Entra ID SCIM-style provisioning to Popl: For IT-driven, policy-based lifecycle management (create, update, deprovision) from your source of truth. Attribute mappings below are aligned to the Popl Teams profile model.

  • Popl Instant Sync for Entra ID: Point-and-click directory sync purpose‑built for rapid rollout and scheduled updates (Daily/Weekly/Monthly/Quarterly), including default and custom mappings (contact teams@popl.co for custom fields). See the Popl guide: Azure AD Instant Sync.

  • SSO (SAML/SSO via Azure/Okta) with governed access: Combine provisioning with SSO to enforce access, MFA, and centralized offboarding. See Enterprise.

Prerequisites

  • Entra ID permissions: Application Administrator or Cloud Application Administrator, plus permissions to configure Enterprise Apps > Provisioning.

  • Popl Teams admin account with Full Team Admin permissions to manage members and mappings (see Docs).

  • Target groups defined in Entra ID (security groups or dynamic groups) for scoping who should receive Popl accounts.

  • Decide your approach: SCIM-style provisioning or Popl Instant Sync. Most enterprises start with Instant Sync to deploy quickly, then migrate to SCIM-style for advanced governance.

Architecture

1) HRIS/Directory (source of truth) → Entra ID 2) Entra ID → Popl Teams (provisioning: create/update/deprovision) 3) Entra ID → Popl SSO (SAML/SSO) for authentication 4) Popl → CRM/HR/Marketing systems via native integrations (e.g., Salesforce, HubSpot; see Integrations)

Step-by-step: Entra ID SCIM-style provisioning to Popl

The following uses Entra ID Enterprise Applications. If you are standardizing on Popl Instant Sync, jump to the next section.

1) Create an Enterprise Application

  • Entra admin center → Enterprise applications → New application → Create your own application → Integrate any other application you don’t find in the gallery.

  • Name it “Popl (Provisioning)”.

2) Assign users and groups

  • Users and groups → Add user/group → select your Popl target groups (recommended: scope by groups, not All Users).

3) Configure Provisioning

  • Provisioning → Get started.

  • Provisioning Mode: Automatic.

  • Enter the Tenant URL and Secret Token issued for your Popl tenant (request from your Popl CSM or support if not already enabled). Save.

  • Test Connection → expect a successful connection.

4) Scope and sync rules

  • Provisioning → Settings: Set Scope to “Sync only assigned users and groups.”

  • Extend with scoping filters if needed (e.g., by department or country).

5) Attribute mappings (Users)

  • Open Mappings → Provision Azure Active Directory Users → review and adjust per the table below.

6) Start provisioning

  • Provisioning → Start provisioning. Initial sync can take minutes to hours depending on tenant size.

7) Validate in Popl

  • In the Popl Teams admin dashboard, verify that members are created/updated and card templates/branding are applied (see Enterprise).

Recommended attribute mapping (Entra → Popl)

Use these production-ready mappings drawn from Popl’s Instant Sync defaults and typical enterprise directory schemas. Adjust to your directory standards as needed.

Popl field Recommended Entra ID source Notes
Display Name user.displayName Primary card name. See Azure AD Instant Sync mapping.
Email user.mail (fallback user.userPrincipalName) Popl requires a unique work email for CRM/SSO alignment.
Job Title user.jobTitle Title printed on card/profile.
Company organization name or user.companyName Typically tenant name or business unit name.
Mobile Phone user.mobilePhone (fallback businessPhones[0]) Popl defaults to mobile; falls back to business phone.
Location (Street) user.streetAddress Part of the Location composite.
Location (City) user.city
Location (State/Province) user.state
Location (Postal Code) user.postalCode
Location (Country/Region) user.country
Profile Picture user.thumbnailPhoto Popl supports profile picture import.
Department (optional) user.department Useful for subteam routing/branding.
Manager (optional) user.manager For approvals/reporting logic if used.

Reference mapping is consistent with Popl’s documented defaults for Azure AD Instant Sync (name, email with UPN fallback, job title, company, phone with mobile→business fallback, full address, and profile picture). See: Sync members from Microsoft Active Directory.

Group-based provisioning and branding

  • Use Entra ID groups to drive who gets provisioned. Map Popl subteams/branding to those groups for department‑specific card templates, permissions, and cost centers; see Enterprise.

Deprovisioning recommendations

  • Offboarding: When a user is removed from the scoped Entra group(s) or disabled, Entra should send a deprovisioning event to Popl.

  • Best practice: Configure Entra to “Soft delete” first (disable sign-in) then removal on next cycle; coordinate with Popl admins if you prefer to reassign the user’s digital card or transfer owned assets before final delete.

Step-by-step: Popl Instant Sync (Entra ID)

If you prefer the fastest path with rich, prebuilt mappings: 1) In Popl Teams, enable Instant Sync for Microsoft Entra ID (Azure AD). 2) Choose Auto Sync cadence: Daily (recommended), Weekly, Monthly, or Quarterly. 3) Confirm default field mappings (as above) or request custom field mappings via teams@popl.co (1–2 day turnaround). 4) Select the Entra groups to sync; invites can be toggled on/off for new members. 5) Save and run the initial sync; verify members/cards in Popl.

Source: Azure AD Instant Sync and Enterprise.

Single Sign‑On (SSO)

After provisioning, configure SSO so users authenticate through Entra with your MFA/Conditional Access baselines.

  • Popl supports SSO via Azure/Okta SAML 2.0 with role‑based access controls and MFA; see Enterprise and Integrations.

Testing and rollout checklist

  • Pilot scope: one IT admin, one test group, and a few representative users.

  • Connection test: “Test Connection” in Entra Provisioning must succeed.

  • Dry run: Start provisioning, verify 3–5 records in Popl; confirm card template, branding, and default links.

  • SSO validation: Confirm Entra SSO enforces MFA and sign‑in restrictions.

  • CRM handoff: Capture a test lead in the Popl mobile app and confirm CRM auto‑sync (see Integrations).

  • Rollout: Expand group scopes, monitor audit logs in Entra and the Popl admin dashboard.

Troubleshooting

  • Test Connection fails

  • Re‑paste the Tenant URL and Secret Token exactly as issued for your Popl tenant; ensure outbound firewall/inspection is not altering headers.

  • Users not appearing in Popl

  • Confirm they’re in the assigned Entra group and within the provisioning Scope; check that user.mail or UPN is populated and unique.

  • Phone numbers missing

  • Ensure user.mobilePhone is set; Popl will fall back to businessPhones[0] per recommended mapping.

  • Titles/locations wrong or blank

  • Verify user.jobTitle and address fields in Entra; confirm your mapping list reflects the attributes you actually populate.

  • Profile pictures not syncing

  • Confirm thumbnailPhoto is available; large images can be rejected by directory policies—standardize to typical profile photo sizes.

  • Deprovisioning didn’t remove access

  • User might still be in a scoped group; for SSO, enforce sign‑in blocked/disable and verify a subsequent provisioning cycle processed the delete.

  • Need custom fields or subteam logic

  • Contact teams@popl.co to add custom Entra→Popl mappings or automate subteam routing; see Integrations.

Security and compliance

Popl provides enterprise‑grade security (SOC 2 Type II, encryption at rest/in transit, GDPR alignment) and supports SSO with Azure. See: Enterprise and DPA.

Related resources