Once Single Sign-on (SSO) is set up, you can configure Udemy for Cross-domain Identity Management (SCIM 2.0) provisioning in Entra ID (formerly known as Azure AD) with Udemy Business.
SCIM provisioning enables you to provision, deprovision, create groups, manage group membership, manage licenses, and change user profile details like name and email address in Entra ID, which automatically updates Udemy Business. You will no longer need to update both Entra ID and Udemy Business separately with these actions as it will all be synced from Entra ID.
Please note:
- SSO must be enabled prior to activating SCIM.
- Single sign-on and provisioning are available to Udemy Business Enterprise Plan customers.
- Users provisioned through Entra ID won't take up a license until they log into the Udemy Business application for the first time.
- SCIM provisioning changes can only be synced from Entra ID to Udemy Business, not the other way round.
- Users and Groups managed by SCIM in Entra ID can't be changed within the Udemy Business app; SCIM is the single source of truth for user and group data.
- You can still create groups manually in Udemy Business if you have users that you don’t need or want to push from Entra ID, such as contractors or temporary staff.
- Note: SCIM API tokens for Udemy Business last for approximately two years. Admins will be sent a notification informing them of:
- 30 days before the token expiry
- After the token expiry
Table of Contents
Configure SCIM Provisioning with Entra ID
1. In your Udemy Business account, go to Manage > Settings > Provisioning (SCIM).
2. Click Start Setup, choose your Identity Provider and follow the instructions to generate the Secret Token (Bearer token) which you then need to input into Entra ID.
3. Access your Entra ID account and go to your Udemy Business SSO app and follow the steps below to get set up. You can also refer to Microsoft’s own configuration guide for SCIM Provisioning with Entra ID for further guidance.
Go to the Provisioning tab in your Azure portal.
Note: udemyazure is a test name we used in the screenshots below for the purpose of illustrating how to configure SCIM. When configuring your own instance, use the app that was named by your team.
4. In the Provisioning Mode field, select Automatic.
5. In the Admin Credentials section:
Tenant URL is: https://yourdomain.udemy.com/scim/v2 (yourdomain is the url for your Udemy Business account)
Secret Token: This is a Bearer token that you can generate or view inside your Udemy Business account.
- Go to Manage > Settings > User Access to get the Secret Token.
6. Click Test Connection to check that it’s working correctly.
7. (Optional) Enter an email address if you wish to receive alerts from Azure about errors.
8. In Mappings:
Go to Provision Microsoft Entra ID User:
Once inside you should see the attribute mappings list
Supported attributes
Confirm that the required attributes below are added in the customappsso Attributes as these fields are required for SCIM provisioning to function within Udemy.
| SCIM attribute | Required? | Description |
emails[type eq "work"].value |
Yes | Email of the user. Must be unique |
userName |
Yes | The userName from the IdP. Must be unique. |
active |
Yes | Flag to deactivate/reactivate users |
externalId |
Yes | The externalId of the user from IdP. Must be unique. |
urn:ietf:params:scim:schemas:extension: enterprise:2.0:User:employeeNumber |
Yes | Returns employeeNumber field from EnterpriseSchema and store it as external_id field. Should match the attribute you want sent to externalId. |
name.givenName |
No | Given name of user. Even though they are not required, we recommend always specifying those attributes since it’ll make it easier to identify users. |
name.familyName |
No | Family name of user. Even though they are not required, we recommend always specifying those attributes since it’ll make it easier to identify users. |
name, { givenName, familyName } |
No | Given name and family name of the user. Even though they are not required, we recommend always specifying those attributes since it’ll make it easier to identify users. |
title |
No | User’s job title, i.e. “Senior Engineer”. |
urn:ietf:params:scim:schemas:extension: udemy:2.0:User:licensePoolName |
No | The license pool name. |
urn:ietf:params:scim:schemas:extension: udemy:2.0:User:licenseTypes |
No |
A comma-separated list of license types. Accepted values:
|
Make sure the Microsoft Entra ID attribute for emails[type eq "work"].value matches the value you configured in your SSO email attribute and claims. (I.E. mail or userPrincipalName)
Confirm the attribute Switch([IsSoftDeleted], , "False", "True", "True", "False") is mapped to active which allows the deactivation of users to be passed over.
Once you added the attributes, update the Matching precedence to have emails[type eq "work"].value set to 1.
You might have to update userName to 2 or 3.
9. Scroll down to the bottom of the User Attributes Mapping and enable Show advanced options. Select Edit attribute list for customappsso and enable Exact case for both id and userName.
10. Return to the main Provisioning setting screen:
11. In the Scope field, choose how you want to sync your users and groups.
You can sync only users and groups who are assigned the Udemy Business app if you need to restrict access to certain employees or departments. Or, you can sync all users and groups if every employee is going to have access.
In order to provision more users and groups with Udemy Business access:
12. Click Users and groups
13. Click on Add User, which will give you the option to add both Users and Groups.
Select all users or the groups you want to add to the application and click Select.
Troubleshooting
In relation to Mappings:
If you experience this error when provisioning:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":400,"detail":"{'emails': ['This field is required.']}"}
You should change the mapping of the User.
emails[type eq "work"].value needs to be mapped to userPrincipalName that is, if userPrincipalName is where the email is.
If you go to the user profile, you should be able to see which field contains the email there.
For any errors provisioning users, you can view more details by looking into the provisioning logs.
- You can obtain this log by going to the Udemy App on Azure > Provisioning > Provisioning Logs > Search for the affected user > Troubleshooting & Recommendations.
- If needed, open a support ticket and provide a screenshot of the Azure provisioning logs so we can take a look at what failed.