SAML SSO Azure AD / Entra ID: User Provisioning
With SCIM protocol, admins can set up automatic user provisioning and deprovisioning for Wrike with Azure Active Directory (Azure AD) / Microsoft Entra ID (Entra ID).
Set up Wrike with the System for Cross Identity Management (SCIM) standard to automatically provision or deprovision users based on their status in Azure AD / Entra ID.
-
Automatic provisioning: Azure AD / Entra ID users are automatically provisioned for Wrike.
-
Synced user attributes: User attributes are automatically updated in Wrike when they're updated in Azure AD / Entra ID.
Note
To successfully update user attributes of account admins, the account admin who issued the API token must have the right to grant/revoke admin rights enabled.
-
Automatic deactivation: Wrike users are automatically deactivated in Wrike when they're deactivated in Azure AD / Entra ID.
This page is about integrating Wrike with Azure AD / Entra ID SCIM. We have a separate page on setting up SAML SSO to Wrike through Azure AD / Entra ID.
Note
Members added through SCIM are billable as soon as they're provisioned.
You must have permission to Configure advanced security settings in Wrike and be an Azure AD / Entra ID admin to set up Wrike with Azure AD / Entra ID SCIM. We recommend setting up SAML SSO with Azure AD / Entra ID first.
Only users from approved domains will be automatically provisioned to Wrike.
-
Open your Wrike workspace.
-
Click your profile picture in the view’s upper right-hand corner.
-
Select Apps & Integrations.
-
Click Azure AD / Entra ID in the list of apps and open the SCIM tab.
-
Scroll to the bottom of the pop-up and copy the SCIM URL. You’ll be using it in a few steps.
-
Close the Azure AD / Entra ID pop-up (but stay in Wrike) and move to Step 3.
-
Click API from the left-hand side of the Apps & Integrations page.
-
Enter a name in the App name field (we suggest Azure AD / Entra ID SCIM).
-
Click Create new.
-
(Optional) Add an app description.
-
Scroll to the bottom of the page and click Create Token.
-
Enter your password and click Obtain token.
-
Copy the token and save it somewhere. You’ll need to enter this information in Azure AD / Entra ID.
Important
You’re only shown your token once, so make sure you save it before moving on to the next steps.
-
Click Save.
-
Sign in to your Azure AD / Entra ID domain at <yourorganization>.Azure AD / Entra ID.com.
-
Click Enterprise applications on the left.
-
Find and select Wrike.
-
Select Provisioning from the menu panel on the left.
-
Under the Provisioning Mode menu, select Automatic.
-
Scroll down to the Admin Credentials section.
-
In the field next to Tenant URL, paste the base URL that you copied in Step 2.
-
In the field next to Secret Token, paste the token you copied in Step 3.
-
Click the Test connection button to confirm that all your settings are correct.
-
If the test is successful, click the Save button at the top of the window. If not, double-check your settings or contact Wrike Support for help.
-
Go to the Edit provisioning tab and click the Edit provisioning button.
-
Scroll down to the Settings section.
-
In the Scope drop-down menu, select which events you want to synchronize between Wrike and Azure: Sync only assigned users and groups or Sync all users and groups.
Note
Make sure that all relevant users and groups are assigned to Wrike’s app.
Selecting Sync all users and groups is not recommended in most cases as it will sync all users in the directory to Wrike, regardless of whether they have been assigned to the enterprise app or to a group that is assigned to it.
-
Set the provisioning status to On.
-
Click Save at the top of the window to start the provisioning service.
The following attributes are synced from Azure AD / Entra ID to Wrike:
-
Username
-
Given name
-
Family name
-
Primary email
-
Job title
-
Primary phone number
-
Organization name
-
Department
-
Wrike user type
Note
Specifying the Wrike user type (Regular, External, and Collaborator) is a custom attribute. By default, Regular users are created.
If certain user attributes (e.g., phone number, department, or secondary emails) are filled in Wrike but missing in Azure AD / Entra ID, the information remains in Wrike even after user provisioning.
If a user doesn't get provisioned or deprovisioned:
-
Check the System Log in the Azure AD / Entra ID administration portal to see if a SCIM provisioning attempt is listed there.
-
If there is no provisioning attempt listed, make sure that users are properly assigned to Wrike’s application in Azure AD / Entra ID.
-
If an error is listed, please contact our Support Team and provide error details.
-