Organizations that use Azure Active Directory user provisioning (Azure AD) for user management can integrate it with their StarLeaf account. Azure AD integration is an additional option on your StarLeaf Enterprise account.

We encourage you to sign up to a free Azure AD account to explore and exercise the features made available to you with StarLeaf before integrating it with your production Azure AD environment. To get your free trial account, go to


  • Push new users from Azure AD to StarLeaf
  • Push user updates from Azure AD to StarLeaf
  • Push user deactivation from Azure AD to StarLeaf

How to set up the integration

  1. Ensure that Azure AD integration is activated on your StarLeaf account. To activate Azure AD integration on your StarLeaf account, contact StarLeaf technical support at
  2. Complete StarLeaf Portal configuration (described below).
  3. Add StarLeaf in Azure AD (described below).

StarLeaf Portal configuration for Azure AD integration

Before you can configure StarLeaf provisioning in Azure AD, you need to know the Tenant URL and Secret Token.

  1. Log in to .
  2. Go to Integrations > Add integration.
  3. Select Microsoft Azure Active Directory and select Apply.
  4. You see the SCIM server URI and Access token:
  5. Make a note of the SCIM base URL and Access token. You will need these when you configure Azure AD.

Add StarLeaf in Azure AD

  1. Log in to the Azure portal .
  2. Go to Azure Active Directory > Enterprise applications.
  3. Select New application.
  4. Under Add from the gallery type ‘StarLeaf’.
  5. Select the StarLeaf application and select the blue Add button. You see the configuration page of the StarLeaf application.
  6. On the configuration page:
    1. Select Provisioning and set the Provisioning Mode to Automatic.
    2. Enter the SCIM base URL and Access token from the Portal into the Tenant URL and Secret Token fields respectively.
    3. Select Test Connection. This confirms that you have used the correct credentials.
    4. Select Save.
  7. Set Provisioning Status to On.
  8. Ensure that Scope is set to ‘Sync only assigned users and groups’.
  9. Ensure that the box is ticked where it says ‘Clear current state and synchronization’.
  10. Select Save.

Users added in Azure AD take a minimum of 20 minutes to appear in the StarLeaf Portal. This may take longer if there are a lot of users / user groups.

If you add a user to Azure AD and this user already exists in the StarLeaf Portal with an identical email address, the user will be managed in Azure AD from that point on.


For reference, the attribute mappings look like this:

Azure AD attribute Customapp attribute matching precedence
Compulsory attributes
mailNickname externalId 1
userPrincipalName username 2
Not([IsSoftDeleted]) active  
userPrincipalName emails[type eq “work”].value  
The following attributes are dependent on your AD configuration, but will include some of:
givenName name.givenName  
surname name.familyName  
displayName name.formatted  
mobile phoneNumbers[type eq “mobile”]  
telephoneNumber phoneNumbers[type eq “work”]  
preferredLanguage preferredLanguage  


If you think your access token has been compromised, you must create a new token. In the StarLeaf Portal, go to the Azure Active Directory Integration and select Regenerate access token and select Apply. You must enter the new token in Azure AD as the Secret Token.