Microsoft Entra ID SCIM Mapping issues.

kona · ‎05-23-2025

Anyone have success recently attempting to utilize the SCIM Extension Schema to accommodate custom fields in your organization?

The specific questions are:

How can I map manager over successfully using SCIM? It didn't work when mapped through schema urn:ietf:params:scim:schemas:extension:enterprise:2.0:User and I don't understand enough about Azure to know if I mapped it incorrectly on their side through schema urn:ietf:params:scim:schemas:extension:servicenow:2.0:User or if it's not supported. urn:ietf:params:scim:schemas:extension:servicenow:custom:2.0:User is not supported, according to my Microsoft support ticket.
If I cannot map using existing schemas, how do you extract attribute values from a complex attribute like manager in the Azure Expression? I probably can manage by setting sys_user.correlation_id to the ID value from Azure [manager] if that's what it is.

There's a comment on SCIM Provisioning from Microsoft Entra ID that says

<<

ServiceNow's native SCIM capability does not support the Enterprise User extension

"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"

Instead, ServiceNow offer 2 specific extensions for User and Groups;

    "urn:ietf:params:scim:schemas:extension:servicenow:2.0:User",
    "urn:ietf:params:scim:schemas:core:2.0:User"

[...]

I have found that these can be problematic in some cases. If you run into challenges, consider overlaying the value needed onto a core User or Group schema attribute. e.g. use the Home Address attributes to pass values through the SCIM process.

>>

I've overlaid the values I can into password, but I need to map Manager, which is a complex attribute type with an ID that doesn't match what I need, and am unable to grab the Manager value I need to be able to place it appropriately in the Manager sys_user reference field.

Expression mapping into password as a placeholder field to parse out later: Join("||", Join("", [country], [extensionAttributeX]), [extensionAttributeY], [manager] )

The details come over as: "password":"USXXXXXX||YYYYYYY||122aa2aa-a222-22a2-2222-2aaa2a2a2222" (obfuscated).

References:

Anoop8 · ‎06-12-2025

1. Add schema extension.
Example:

{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:Schema"
],
"id": "urn:ietf:params:scim:schemas:extension:servicenow:custom:2.0:User",
"name": "MyCustomUser",
"description": "My schema for User Account",
"attributes": [
{
"name": "xxx_manager_email",
"type": "string",
"multiValued": false,
"description": "Manager email address.",
"required": false,
"caseExact": false,
"mutability": "readWrite",
"returned": "default",
"uniqueness": "none"
}
]
}
2. Extract manager email - Add/Update the mapping for the new field SCIM ETL Definition -> SCIM User -> scim-user

Manager = custom.xxx_manager_email

3. Transform data - Navigate back to the 'user' ETL entity. (SCIM ETL Definition -> SCIM User -> user )
Create a new "Robust Transform Engine Entity Operation" user in script.
Example - "Manager Transformation"
Source Field - Manager
Destination Field - Manager
Script sample :-

(function(batch, output) {

for (var i = 0; i < batch.length; i++) {

var a = batch[i].input;

var user = new GlideRecord('sys_user');

user.addQuery('email',a);

user.query();

if (user.next())

output[i] = user.getUniqueValue();

}

})(batch, output);

---------------- Using Postman --------------

POST
https://instance.service-now.com/api/now/scim/Users

BODY example:

{

"schemas": [

"urn:ietf:params:scim:schemas:extension:servicenow:2.0:User",

"urn:ietf:params:scim:schemas:core:2.0:User",

"urn:ietf:params:scim:schemas:extension:servicenow:custom:2.0:User"

],

"title" : "Tech Arc",

"active": true,

"emails": [

{

"type": "work",

"value": "1_12anoop12@abc.com"

}

],

"name": {

"familyName": "SCIM TEST",

"givenName": "Anoop SCIM GN 01",

"honorificPrefix": "Mr",

"middleName": "MN"

},

"phoneNumbers": [

{

"type": "mobile",

"value": "0444444444"

}

],

"userName" : "scim_an_05",

"urn:ietf:params:scim:schemas:extension:servicenow:custom:2.0:User": {

"xxx_manager_email" : "anoop.manager@example.com"

},

"urn:ietf:params:scim:schemas:extension:servicenow:2.0:User": {

"gender": "Male",

"employeeNumber" : "an_test",

}

_ukasz Rybicki · 3 weeks ago

Could you please clarify the exact steps to map manager from Microsoft Entra ID to the sys_user.manager reference in ServiceNow using SCIM?

On the Entra side: which attribute are you sending for manager (OID, objectId, userPrincipalName, or full SCIM manager object)? Please share your attribute mapping and a sample PATCH/POST payload.
On the ServiceNow side: which schema path do you expect? Core vs Enterprise extension (urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:manager)? If you use a custom extension, what is the full attribute path?
How do you resolve a string identifier to the ServiceNow sys_user record? Do you rely on a lookup key (e.g., email or u_external_id) and a pre-map/transform to fetch sys_id, or do you pass a SCIM reference object that contains the sys_id?
Which tables and fields should be touched end-to-end? I believe: sys_user.manager (reference to sys_user). Please confirm any staging tables or SCIM ETL entities you use.
Can you confirm whether your proposed approach is correct: Entra sends manager key → SN resolves to sys_id → BR/ETL maps to sys_user.manager without overwriting when empty? If yes, please share the exact mapping rules and any “copy empty fields” safeguards.

Thanks in advance—step-by-step instructions with concrete attribute names, sample JSON, and screenshots of both Entra and ServiceNow mappings would be ideal.