Once Single Sign-on (SSO) is set up you can configure Udemy for Cross-domain Identity Management (SCIM 2.0) provisioning in Entra ID (formerly Azure AD) with Udemy Business. This will allow you to provision, deprovision, create groups, manage group membership and change user profile details like name and email address in Entra ID, which automatically updates Udemy Business. You will no longer need to update both Entra ID and Udemy Business separately with these actions as it will all be synced from Entra ID.
Please note: Entra ID is formerly known as Azure AD.
To enable SCIM Provisioning for your Udemy Business account, first go to your Udemy Business account and access Manage > Settings > Provisioning (SCIM).
Click Start Setup and follow the instructions to enable SCIM and generate the Secret Token (Bearer token) which you then need to put into Entra ID.
Please note:
- SSO must be enabled prior to activating SCIM
- Single sign-on and provisioning are available to Udemy Business Enterprise Plan customers.
- Users provisioned through Entra ID will not take up a license until they log into the Udemy Business application for the first time.
- SCIM provisioning changes can only be synced from Entra ID to Udemy Business, not the other way round.
- Users and Groups managed by SCIM in Entra ID cannot be changed within the Udemy Business app - SCIM is the single source of truth for user and group data.
- You can still create groups manually in Udemy Business if you have users that you don’t need or want to push from Entra ID, eg. contractors or temporary staff.
Configure SCIM Provisioning with Entra ID
1. To enable SCIM Provisioning for Udemy Business, first go to your Udemy Business account and access Manage > Settings > Provisioning (SCIM).
2. Click Start Setup, choose your Identity Provider and follow the instructions to generate the Secret Token (Bearer token) which you then need to input into Entra ID.
3. Next, access your Entra ID account and go to your Udemy Business SSO app and follow the steps below to get set up. You can also refer to Microsoft’s own configuration guide for SCIM Provisioning with Entra ID for further guidance.
Go to the Provisioning tab in your Azure portal.
(Note: udemyazure is a test name we used in the screenshots below for the purpose of illustrating how to configure SCIM; you should locate the app that was named by your team when configuring within your own instance)
4. Choose Automatic as the Provisioning Mode.
5. In the Admin Credentials section:
Tenant URL is: https://yourdomain.udemy.com/scim/v2 (yourdomain is the url for your Udemy Business account)
Secret Token: This is a ‘Bearer’ token that you can generate or view inside your Udemy Business account. (go to Manage > Settings > User Access to get the Secret Token)
6. Click Test Connection to check that it’s working correctly.
Optional: You can enter an email address if you wish to receive alerts from Azure about errors.
7. In Mappings:
Check the attribute mapping:
Confirm that the required attributes below are added in the customappsso Attribute as these fields are required for SCIM provisioning to function within Udemy.
Supported attributes
| SCIM attribute | Required? | Description |
| emails[type eq "work"].value | Yes | Email of the user. Must be unique |
| userName | Yes | The userName from the IdP. Must be unique. |
| active | Yes | Flag to deactivate/reactivate users |
| externalId | Yes | The externalId of the user from IdP. Must be unique. |
|
urn:ietf:params:scim:schemas:extension: enterprise:2.0:User:employeeNumber |
Yes | Returns employeeNumber field from EnterpriseSchema and store it as external_id field. Should match the attribute you want sent to externalId. |
| name.givenName | No | Given name of user. Even though they are not required, we recommend always specifying those attributes since it’ll make it easier to identify users. |
| name.familyName | No | Family name of user. Even though they are not required, we recommend always specifying those attributes since it’ll make it easier to identify users. |
| name, { givenName, familyName } | No | Given name and family name of the user. Even though they are not required, we recommend always specifying those attributes since it’ll make it easier to identify users. |
| title | No | User’s job title, i.e. “Senior Engineer”. |
|
urn:ietf:params:scim:schemas:extension: udemy:2.0:User:licensePoolName |
No | The license pool name. |
|
group |
No | SCIM group(s) that the user belongs to. |
Confirm the attribute Switch([IsSoftDeleted], , "False", "True", "True", "False") is mapped to active which allows the deactivation of users to be passed over.
8. Scroll down to the bottom of the User Attributes Mapping and enable Show advanced options.
Select Edit attribute list for customappsso and enabled Exact case for both id and userName
9. Go back to the main provisioning setting screen:
10. Choose the Scope of how you want to sync your users and groups.
You can sync only users and groups who are assigned the Udemy Business app if you need to restrict access to certain employees or departments. Or, you can sync all users and groups if every employee is going to have access.
In order to provision more users and groups with Udemy Business access:
11. Click Users and groups
12. Click on Add User (which will give you the option to add both Users and Groups)
Select all users or the groups you want to add to the application and click Select.
Troubleshooting
In relation to Mappings:
If you experience this error when provisioning:
{"schemas":["urn:ietf:params:scim:api:messages:2.0:Error"],"status":400,"detail":"{'emails': ['This field is required.']}"}
You should change the mapping of the User.
emails[type eq "work"].value needs to be mapped to userPrincipalName that is, if userPrincipalName is where the email is.
If you go to the user profile, you should be able to see which field contains the email there.
For any errors provisioning users, you can view more details by looking into the provisioning logs.
- You can obtain this log by going to the Udemy App on Azure > Provisioning > Provisioning Logs > Search for the affected user > Troubleshooting & Recommendations.
- If needed, open a support ticket and provide a screenshot of the Azure provisioning logs so we can take a look at what failed.