29. 09. 2025
Valentina Da Rold
Atlassian, Development
Syncing Entra ID Groups and Members to Jira CMDB via Atlassian SCIM API: Key Lessons Learned
In a recent project, I was tasked with enabling the synchronization of Entra ID (formerly Azure AD) security groups and their members into an ITSM CMDB hosted on Jira. The objective was to ensure accurate visibility of group-to-user relationships, leveraging Atlassian’s SCIM 2.0 API capabilities.
While the goal sounds straightforward – syncing groups and users from Entra ID into Jira’s directory – there are several critical nuances in how the Atlassian SCIM API must be used. Below I’ll walk through the key steps, recommended API endpoints, and one crucial parameter you must capture during setup or risk blocking future integrations.
The APIs You’ll Need
Once SCIM provisioning is enabled for your Atlassian organization, you can interact with the directory using the endpoints provided under the SCIM 2.0 specification. The primary ones used for syncing groups and members are:
Users:
GET /scim/directory/{directoryId}/Users
POST /scim/directory/{directoryId}/Users
PATCH /scim/directory/{directoryId}/Users/{userId}
Groups:
GET /scim/directory/{directoryId}/Groups
POST /scim/directory/{directoryId}/Groups
PATCH /scim/directory/{directoryId}/Groups/{groupId}
These endpoints allow you to provision group structures and memberships from Entra ID into Jira. When syncing to the CMDB module, group membership data can later be mapped to custom objects or referenced directly, depending on the configuration.
Generating the Entra ID Token for SCIM Provisioning
When configuring provisioning in Entra ID:
- Add Atlassian Cloud SCIM as an enterprise application (or configure via “Provisioning” on your existing one)
- Set the Tenant URL (also known as Directory Base URL)
- Generate the Secret Token
- Test the connection and enable provisioning
The Most Overlooked Step: Saving the Directory Base URL
When you create the connection in Entra ID, Atlassian provides you with a Directory base URL (sometimes referred to simply as the SCIM endpoint or tenant URL). This value is shown only once during the initial setup.
You WON’T be able to retrieve it again from the Atlassian UI!
This is not obvious, and is thus often missed.
You must manually store this URL somewhere secure (e.g., a secrets vault, password manager, or configuration management system) at the moment it is provided. If you don’t, you’ll later have no way of programmatically interacting with the SCIM API, since the URL contains the directory ID and it’s required in every call.
It’s typical format is:
https://api.atlassian.com/scim/directory/{directoryId}
Without this, you cannot correctly call:
/Users
/Groups
or any PATCH/POST operations.
Practical Flow for Group and Member Sync
A common pattern when importing groups into a Jira-based CMDB is:
- Retrieve or Create Users First
UseGET /Usersto see existing accounts orPOST /Usersto provision new ones if needed - Create or Map Groups
CallPOST /Groupsto provision Entra ID groups into the Atlassian directory:
{
"displayName": "ExampleGroup",
"members": []
}
- Sync Memberships
UsePATCH /Groups/{groupId}to attach user references:
{
"Operations": [
{
"op": "add",
"path": "members",
"value": [
{
"value": "userId-from-Users-endpoint"
}
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}
- Map Data to CMDB
Depending on your Jira CMDB implementation (Assets/Insight or similar), use automation or scripts to map group objects and memberships to custom schema objects in CMDB
A Final Recommendation
If you’re integrating Entra ID groups into a Jira CMDB through SCIM, plan ahead of time to:
- Use the SCIM
/Usersand/Groupsendpoints for synchronization - Always capture the Directory base URL as soon as it appears: you cannot retrieve it later, and Atlassian support will not surface it for you again
- Securely store both the base URL and the SCIM token in your credential management system
This one precaution will save you from having to tear down and reconfigure the entire Entra ID provisioning setup if you ever need to script or extend the sync later.
For reference you can have a look at the Atlassian official documentation.
These Solutions are Engineered by Humans
Did you find this article interesting? Does it match your skill set? Programming is at the heart of how we develop customized solutions. In fact, we’re currently hiring for roles just like this and others here at Würth Phoenix.
Valentina Da Rold
Hi, I'm Valentina and I'm a Frontend Developer at Wuerth Phoenix. I started out my career applying my Cryptography skills to coding, but really quickly fell in love with the web. I have been making websites and applications since 2012 and I still can't get enough of it. Along the way I found a passion for front-end development, and I use this passion to create interfaces that solve problems. When I'm not creating beautiful solutions, I enjoy cooking or doing sport, while listening to beautiful music.
Author
Latest posts by Valentina Da Rold
04. 06. 2025
Atlassian, Automation, Development
Automating Asset Delivery Tracking in the Jira Customer Portal: A Developer’s Guide
26. 03. 2025
Atlassian, Automation, Development
Unlocking Atlassian Automation: Lookup Objects vs. Branch on AQL
26. 11. 2024
Atlassian, Development, UI, UX
How to Customize Your Barcode Scanning App (Part 1)
14. 11. 2024
Atlassian, Service Management
Take Control of Your Assets from Anywhere with Just a Wave of Your Hand!