All articles

SAML SSO Azure AD / Entra ID: User Provisioning

TL;DR

Wrike supports SCIM with Azure AD / Microsoft Entra ID to automatically provision, update, and deactivate users. To set it up, add approved domains in Wrike, copy the SCIM URL, create and save an API token, then enter both in Azure’s Provisioning settings and turn provisioning on. Users provisioned through SCIM are billable right away.

Table 17. Availability - Legacy plans

Free Professional Business Enterprise


 

Availability: Legacy Enterprise.; Unavailability: Legacy Free, Legacy Professional, Legacy Business.;

Table 18. Availability

Free Team Business Pinnacle Apex


 

Availability: Pinnacle, Apex. ; Unavailability: Free, Team, Business;

Overview

With SCIM protocol, admins can set up automatic user provisioning and deprovisioning for Wrike with Azure Active Directory (Azure AD) / Microsoft Entra ID (Entra ID).

Set up Wrike with the System for Cross Identity Management (SCIM) standard to automatically provision or deprovision users based on their status in Azure AD / Entra ID.

  • Automatic provisioning: Azure AD / Entra ID users are automatically provisioned for Wrike.

  • Synced user attributes: User attributes are automatically updated in Wrike when they're updated in Azure AD / Entra ID.

    Note

    To successfully update user attributes of account admins, the account admin who issued the API token must have the right to grant/revoke admin rights enabled.

  • Automatic deactivation: Wrike users are automatically deactivated in Wrike when they're deactivated in Azure AD / Entra ID.

This page is about integrating Wrike with Azure AD / Entra ID SCIM. We have a separate page on setting up SAML SSO to Wrike through Azure AD / Entra ID.

Note

Members added through SCIM are billable as soon as they're provisioned.

Set up Wrike with Azure AD / Entra ID SCIM

You must have permission to Configure advanced security settings in Wrike and be an Azure AD / Entra ID admin to set up Wrike with Azure AD / Entra ID SCIM. We recommend setting up SAML SSO with Azure AD / Entra ID first.

Step 1: Add approved domains

  1. Add approved domains.

Only users from approved domains will be automatically provisioned to Wrike.

Step 2: Find and note the SCIM URL

  1. Open your Wrike workspace.
  2. Click your profile picture in the view’s upper right-hand corner.
  3. Select Apps & Integrations.
  4. Click Azure AD / Entra ID in the list of apps and open the SCIM tab.
  5. Scroll to the bottom of the pop-up and copy the SCIM URL. You’ll be using it in a few steps.
  6. Close the Azure AD / Entra ID pop-up (but stay in Wrike) and move to Step 3.

Step 3: Obtain the OAUTH token

  1. Click API from the left-hand side of the Apps & Integrations page.
  2. Enter a name in the App name field (we suggest Azure AD / Entra ID SCIM).
  3. Click Create new.
  4. (Optional) Add an app description.
  5. Scroll to the bottom of the page and click Create Token.
  6. Enter your password and click Obtain token.

  7. Copy the token and save it somewhere. You’ll need to enter this information in Azure AD / Entra ID.

    Important

    You’re only shown your token once, so make sure you save it before moving on to the next steps.

  8. Click Save.

Step 4: Finalize the setup from Azure AD / Entra ID

  1. Sign in to your Azure AD / Entra ID domain at <yourorganization>.Azure AD / Entra ID.com.
  2. Click Enterprise applications on the left.
  3. Find and select Wrike.
  4. Select Provisioning from the menu panel on the left.
  5. Under the Provisioning Mode menu, select Automatic.
  6. Scroll down to the Admin Credentials section.
  7. In the field next to Tenant URL, paste the base URL that you copied in Step 2.
  8. In the field next to Secret Token, paste the token you copied in Step 3.
  9. Click the Test connection button to confirm that all your settings are correct.
  10. If the test is successful, click the Save button at the top of the window. If not, double-check your settings or contact Wrike Support for help.
  11. Go to the Edit provisioning tab and click the Edit provisioning button.
  12. Scroll down to the Settings section.

  13. In the Scope drop-down menu, select which events you want to synchronize between Wrike and Azure: Sync only assigned users and groups or Sync all users and groups.

    Note

    Make sure that all relevant users and groups are assigned to Wrike’s app.

    Selecting Sync all users and groups is not recommended in most cases as it will sync all users in the directory to Wrike, regardless of whether they have been assigned to the enterprise app or to a group that is assigned to it.

  14. Set the provisioning status to On.
  15. Click Save at the top of the window to start the provisioning service.

Synced attributes

The following attributes are synced from Azure AD / Entra ID to Wrike:

  • Username
  • Given name
  • Family name
  • Primary email
  • Job title
  • Primary phone number
  • Organization name
  • Department

  • Wrike user type

    Note

    Specifying the Wrike user type (Regular, External, Collaborator, Contributor and Viewer) is a custom attribute. By default, Regular users are created.

Troubleshooting

Missing attributes

If certain user attributes (e.g., phone number, department, or secondary emails) are filled in Wrike but missing in Azure AD / Entra ID, the information remains in Wrike even after user provisioning.

User provisioning/deprovisioning

If a user doesn't get provisioned or deprovisioned:

  • Check the System Log in the Azure AD / Entra ID administration portal to see if a SCIM provisioning attempt is listed there.

    • If there is no provisioning attempt listed, make sure that users are properly assigned to Wrike’s application in Azure AD / Entra ID.
    • If an error is listed, please contact our Support Team and provide error details.

Custom Attributes Provisioning

Step 1: Create User Custom Field in Wrike

  1. Go to: https://www.wrike.com/accounts.htm#account/groups
  2. Click + to create a new User Custom Field.
  3. Save the field.

Step 2: Get Custom Field ID

Call Wrike Public API

curl --location --globoff \
'https://www.wrike.com/api/v4/customfields?applicableEntityTypes=[User]' \
--header 'Authorization: Bearer YOUR_TOKEN'

Response example:

{
  "data": [
    {
      "id": "IEAGWMBBJUAK4G7J",
      "title": "Completed Induction",
...
    }
  ]
}

Note:

  • id
  • title

Normalize title:

  • Replace spaces with _
  • Remove special characters

Step 3: Enable Schema Editing in Entra

Step 4: Add Custom Attribute

  1. Go to: Enterprise Applications → Wrike → Provisioning
  2. Click Attribute Mapping
  3. Show Advanced Options
  4. Edit attribute list for Wrike
  5. Add new attribute (Check section 1.1 User Custom Attribute Mapping to format the attribute properly):
urn:ietf:params:scim:schemas:extension:wrike:2.0:User:IEAGWMBBJUAK4G7J_Completed_Induction

Type:

  • String (or match Wrike field type)

Save.

Step 5: Map Attribute

  1. Go to Add New Mapping
  2. Source attribute → choose Entra field (e.g., extensionAttribute1)
  3. Target attribute → select newly added SCIM attribute
  4. Save

Provisioning will push values automatically.

Group Provisioning

Important

  • The official Microsoft Entra ID gallery application for Wrike currently does not support Group provisioning.
  • Right now to provision groups into Wrike, you must create a custom Enterprise Application instead of using the Wrike gallery app.

Create a Custom Enterprise Application

  1. Log in to the Azure portal: https://portal.azure.com
  2. Navigate to: Microsoft Entra ID → Enterprise Applications
  3. Click New Application
  4. This opens the Microsoft Entra App Gallery.
  5. Instead of searching for Wrike, click: Create your own application (top-left corner)

  6. Enter a name for the application

    Example: Wrike SCIM Provisioning with Group

  7. Select: Integrate any other application you don't find in the gallery (Non-gallery)
  8. Click Create

This creates a custom enterprise application that supports SCIM provisioning including groups.

Configure SCIM Provisioning

  1. Open the newly created application.
  2. Navigate to: Provisioning
  3. Set Provisioning Mode to: Automatic
  4. Configure the SCIM connection as described in official guide: https://help.wrike.com/hc/en-us/articles/360046791773-SAML-SSO-Azure-AD-Entra-ID-User-Provisioning

This establishes the provisioning connection between Entra ID and Wrike.

Assign Groups to the Application

Group provisioning only occurs for groups assigned to the application.

  1. Navigate to: Enterprise Application → Users and Groups
  2. Click: Add assignment
  3. Click: Add assignmentSelect the groups you want provisioned to Wrike.
  4. Click Assign
Start Provisioning
  1. Return to: Provisioning
  2. Toggle: Provisioning Status → On
  3. Click Save

The provisioning service will begin syncing users and groups.

Typical behavior:

Action in Entra Result in Wrike
Group assigned Group created in Wrike
User added to group Membership added
User removed Membership removed
Group removed Group removed or disabled

Provisioning cycles typically run every 20–40 minutes.

What's next?

Top

Related articles