Does Zoom support SCIM provisioning with Microsoft Entra ID?

Yes. Zoom supports SCIM 2.0 with Entra ID for automated user provisioning and deprovisioning. When a user is assigned to the Zoom enterprise app in Entra ID, a Zoom account is automatically created. When they're removed, the Zoom account is deactivated. This eliminates manual user management.

What's the difference between SSO and SCIM for Zoom?

SSO (Single Sign-On) handles authentication — users sign into Zoom with their Microsoft credentials. SCIM handles provisioning — automatically creating and deactivating Zoom accounts based on Entra ID directory changes. They are separate features. You can have SSO without SCIM (manually create Zoom accounts) or SCIM without SSO (auto-create accounts but use Zoom passwords), but most organizations use both together.

Does SCIM control Zoom license types?

Not directly. SCIM creates and deactivates accounts but doesn't manage license tiers (Basic vs. Licensed vs. Zoom Phone). You control licensing separately — either through Zoom's group-based licensing (assign license types to Zoom groups, then map Entra groups to Zoom groups via SCIM) or by setting a default license type in Zoom admin settings.

How long does it take for SCIM changes to sync?

Entra ID's provisioning service runs in two modes: an initial sync (processes all assigned users) and incremental sync (runs every 40 minutes by default). Changes typically appear in Zoom within 40 minutes. You can trigger an on-demand provision for a specific user to test immediately.

What happens to a user's Zoom data when they're deprovisioned via SCIM?

When SCIM deactivates a Zoom user, their account is deactivated (not deleted). Their meetings, recordings, and settings are preserved. An admin can later reactivate the account or transfer data to another user. Full account deletion requires manual action in the Zoom admin portal.

Can I sync Entra ID groups to Zoom groups via SCIM?

Yes. Entra ID's Zoom provisioning configuration includes group provisioning. Entra groups assigned to the Zoom enterprise app are synced as Zoom groups. This is useful for controlling group-based settings and license assignment in Zoom.

How to set up Zoom SCIM provisioning with Microsoft Entra ID

SCIM (System for Cross-domain Identity Management) automates the Zoom user lifecycle from Microsoft Entra ID. When someone joins your organization and is added to the right Entra ID group, they automatically get a Zoom account. When they leave or are removed from the group, their Zoom account is deactivated. No manual account creation, no forgotten orphan accounts, no help desk tickets for Zoom access.

This guide assumes you’ve already set up SSO between Zoom and Entra ID. SCIM works alongside SSO — SSO handles authentication, SCIM handles provisioning. You can set them up independently, but most organizations configure both.

What SCIM Does Once Configured

When a user is assigned to the Zoom app in Entra ID:

Entra ID’s provisioning service detects the assignment (within its sync cycle, typically 40 minutes).
It sends a SCIM POST to Zoom’s API, creating a new Zoom account.
The account is created with the user’s name, email, and department from Entra ID.
The user receives a Zoom welcome email (if enabled) or can simply sign in via SSO.

When a user is removed from the Zoom app in Entra ID:

Entra ID detects the removal during its next sync cycle.
It sends a SCIM PATCH to Zoom, setting the account to inactive.
The user’s Zoom account is deactivated — they can no longer sign in.
Their meetings, recordings, and settings are preserved (not deleted).

When a user’s attributes change in Entra ID:

If a user’s name, email, or department changes in Entra, the change syncs to Zoom.
Their Zoom profile updates automatically — no manual editing needed.

Prerequisites

Zoom SSO with Entra ID configured (recommended but not strictly required)
Zoom Business, Enterprise, or Education plan
Entra ID Premium P1 or P2 (required for automatic provisioning — included in Microsoft 365 E3/E5)
Admin access to both the Azure portal and the Zoom web portal

Step 1: Generate a SCIM Token in Zoom

Sign in to the Zoom web portal as an admin.
Go to Advanced > Single Sign-On.
Scroll to the SCIM section.
Click Enable SCIM if not already enabled.
Click Generate Token.
Copy this token immediately — you won’t be able to see it again. Store it securely.

Important: This token expires after 1 year. Set a calendar reminder to regenerate it before expiry, or the sync will silently stop working.

Step 2: Configure Provisioning in Entra ID

Sign in to the Azure portal.
Go to Entra ID > Enterprise Applications > Zoom Meetings (the same app you created for SSO).
Click Provisioning in the left sidebar.
Set Provisioning Mode to Automatic.

Admin Credentials

Field	Value
Tenant URL	`https://api.zoom.us/scim`
Secret Token	Paste the SCIM token from Step 1

Click Test Connection. You should see “The supplied credentials are authorized to enable provisioning.” If not, verify the token and URL.

Step 3: Configure Attribute Mappings

User Attribute Mappings

Click Mappings > Provision Azure Active Directory Users. Verify these mappings:

Entra ID Attribute	Zoom SCIM Attribute	Notes
`userPrincipalName`	`userName`	Unique identifier — usually email format
`mail`	`emails[type eq "work"].value`	User’s email address
`givenName`	`name.givenName`	First name
`surname`	`name.familyName`	Last name
`displayName`	`displayName`	Full display name
`department`	`urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:department`	Department (optional)
`Switch([IsSoftDeleted], , "False", "True", "True", "False")`	`active`	Maps Entra user status to Zoom active/inactive

Tip: If your userPrincipalName doesn’t match users’ email addresses (e.g., UPN is jsmith@corp.local but email is jane.smith@company.com), map userName to mail instead of userPrincipalName.

Group Attribute Mappings (Optional)

Click Mappings > Provision Azure Active Directory Groups. This syncs Entra groups to Zoom groups:

Entra ID Attribute	Zoom SCIM Attribute
`displayName`	`displayName`
`members`	`members`

Enable group provisioning if you want to use Zoom’s group-based settings (e.g., different meeting policies per department).

Step 4: Configure Scope and Filters

Under Settings:

Scope

Choose who gets provisioned:

Option	What It Does	Recommended For
Sync only assigned users and groups	Only users/groups explicitly assigned to the Zoom app get provisioned	Most organizations — gives you control
Sync all users and groups	Every user in Entra ID gets a Zoom account	Only if everyone in your org needs Zoom

Recommendation: Use “Sync only assigned users and groups” and manage access through Entra group assignment. This prevents accidental over-provisioning.

Scoping Filters (Optional)

Add filters to further restrict who gets provisioned:

Only provision users with a specific department (e.g., department EQUALS "Sales")
Only provision users with a specific job title pattern
Exclude service accounts or shared mailboxes

Step 5: Assign Users and Groups

Go to Enterprise Applications > Zoom Meetings > Users and groups.
Click Add user/group.
Assign a security group that contains everyone who should have Zoom access (e.g., “Zoom Licensed Users”).
Click Assign.

Best practice: Create an Entra security group specifically for Zoom provisioning. Membership in this group = gets a Zoom account. This makes it easy to audit and manage.

Step 6: Start Provisioning

Go back to Provisioning.
Set Provisioning Status to On.
Click Save.

Entra ID will begin the initial provisioning cycle — processing all assigned users. This first sync can take anywhere from 20 minutes to several hours depending on user count.

Monitor Progress

Go to Provisioning > Provisioning logs.
You’ll see entries for each user processed:
- Success — user created in Zoom
- Skipped — user already exists or doesn’t match scope
- Failure — error creating user (see error details)

Controlling Zoom License Types

SCIM doesn’t manage Zoom license tiers. Here’s how to control what license new users get:

Option 1: Default License (Simple)

In the Zoom admin portal, go to Account Management > Account Settings.
Set the Default user type for new accounts (Basic or Licensed).
All SCIM-provisioned users will get this default license.
Manually upgrade specific users to higher tiers (Zoom Phone, etc.) as needed.

Option 2: Group-Based Licensing (Scalable)

Create Zoom groups that correspond to license tiers:
- “Zoom Basic Users” → Basic license
- “Zoom Licensed Users” → Licensed (Pro) plan
- “Zoom Phone Users” → Licensed + Zoom Phone add-on
Enable SCIM group provisioning (Step 3 above).
Map Entra ID groups to these Zoom groups:
- Entra group “Sales Team” → Zoom group “Zoom Phone Users”
- Entra group “All Employees” → Zoom group “Zoom Licensed Users”
In Zoom, configure each group to auto-assign the appropriate license tier.

Warning: If your Zoom account has a limited number of licensed seats, monitor your allocation after enabling SCIM. Users provisioned beyond your seat count may default to Basic even if you intended them to be Licensed.

Testing

Test User Provisioning

Assign a test user to the Zoom enterprise app in Entra ID.
Go to Provisioning > click Provision on demand.
Search for the test user > click Provision.
Entra ID will immediately attempt to create the user in Zoom.
Verify the user appears in the Zoom admin portal under User Management > Users.

Test User Deprovisioning

Remove the test user from the Zoom enterprise app assignment in Entra ID.
Trigger an on-demand provision or wait for the next sync cycle.
Verify the user’s Zoom account shows as Deactivated in the Zoom admin portal.

Test Attribute Updates

Change the test user’s department in Entra ID.
Wait for the next sync cycle or trigger on-demand provisioning.
Verify the department updated in the user’s Zoom profile.

Common Issues

“Request is unparsable” errors in provisioning logs — Usually a SCIM token issue. Regenerate the token in the Zoom admin portal and update it in Entra ID’s provisioning configuration.
Users provisioned but can’t sign in — SCIM creates accounts, but SSO must be configured separately for users to sign in with Microsoft credentials. If SSO isn’t set up, users need to set a Zoom password. See our SSO setup guide.
License changes not syncing — SCIM doesn’t manage license tiers. Change licenses in the Zoom admin portal or use group-based licensing (see above).
Deprovisioned user still active in Zoom — The incremental sync runs every 40 minutes. Check the provisioning logs — if the deprovisioning action hasn’t run yet, wait for the next cycle. You can also trigger on-demand provisioning for the specific user.
Duplicate users in Zoom — This happens when a user already has a Zoom account (e.g., created with a personal email) and SCIM tries to create another. Check for email mismatches — the user’s Entra email must match their existing Zoom email. Merge or delete the duplicate manually in the Zoom admin portal.
SCIM token expired — Tokens expire after 1 year. If provisioning suddenly stops working with authentication errors, regenerate the token in Zoom and update it in Entra ID. Set a calendar reminder for 11 months to avoid surprises.
Group sync not working — Verify that group provisioning is enabled in the attribute mappings. Also check that the group is assigned to the Zoom enterprise app (not just the users within the group). Both the group and its members must be in scope.
Too many users provisioned — If you chose “Sync all users and groups” instead of “Sync only assigned users and groups,” every directory user gets a Zoom account. Switch to the assigned-only scope and clean up unwanted accounts in Zoom.