Overview
This article explains how to enable SCIM for an existing Azure AD connection with users and has the “User ID Attribute Type” configuration set to “Pairwise Subject Identifier”.
Applies To
- Azure AD
- Entra ID
- SCIM
Cause
The Pairwise Subject Identifier option in Auth0 configuration uses the sub-claim received from Azure AD (Entra ID). The sub-claim is generated on the fly, and the details of this claim are best explained in Microsoft documentation.
The subject of the information in the token. For example, the user of an app. This value is immutable and can’t be reassigned or reused. The subject is a pairwise identifier and is unique to an application ID. If a single user signs into two different apps using two different client IDs, those apps receive two different values for the subject claim. You may or may not want two values depending on your architecture and privacy requirements.
Microsoft does not provide an option to map the sub-claim in their SCIM mapping solution as of 2025.
Solution
For the SCIM in integration to work, the Azure AD connection on the Auth0 side must be updated to use the “User Object Identifier (oid)” for the “User ID Attribute Type” setting and on Azure AD (Entra ID), the mapping for externalId must be mapped to objectId.
This update will change the claim referenced for the user ID, resulting in the SCIM integration to generate duplicate users for the existing users. To clear the previously existing users with the sub-claim, a few options may be possible:
If the old users do not have metadata,
Those users can be deleted from Auth0 with the management API or from the Auth0 dashboard directly in the User Management view.
If the old users have metadata
- The old users can be linked to those generated by SCIM as they log in. The SCIM-generated users must be primary during the account linking.
- The user’s metadata from the old account can be retrieved, the account created by SCIM can be updated with the metadata, and finally, the old account can be deleted.