SCIM (System for Cross-domain Identity Management) 2.0 allows you to automatically provision, update, and deprovision Modjo users directly from your identity provider (IdP). This feature is designed for IT admins managing large teams who want to centralize user lifecycle management.
Prerequisites
Permissions: You must be a Modjo admin and have admin access to your identity provider.
Plan: SCIM provisioning requires a SCIM-enabled plan (contact your Modjo account manager to confirm availability).
No duplicate emails: Ensure no duplicate email addresses exist in Modjo before enabling SCIM.
Compatible IdP: Modjo supports SCIM 2.0 with Okta, Azure AD (Entra ID), Google Workspace, JumpCloud, OneLogin, Rippling, and YesHID.
What SCIM handles automatically
User creation : New users assigned to Modjo in your IdP are automatically created in Modjo.
User updates : Changes to user attributes (name, email, phone, title, timezone) are synced automatically.
User deactivation : When a user is unassigned or deactivated in your IdP, they are automatically deactivated in Modjo.
What remains manual in Modjo
SCIM does not manage the following, you must configure these manually in Modjo after users are provisioned :
Roles: User, Admin, Analyst (assign in Settings → Users)
Team assignments: Which team(s) a user belongs to
Recording licenses: Whether a user has an active recording license
CRM account linking: Association with Salesforce/HubSpot accounts
Step 1: Generate your SCIM token in Modjo
In Modjo, go to
Settings → Security → SCIM Provisioning.Click Generate SCIM Token.
Copy the token and the SCIM Base URL (e.g.,
https://api.modjo.ai/scim/v2).
⚠️ Save the token securely — it won't be shown again. If you lose it, you'll need to regenerate a new one (which will invalidate the previous token).
Step 2: Configure SCIM in your identity provider
General process (all IdPs)
In your IdP admin console, locate the Modjo application (or create a custom SCIM 2.0 app if Modjo isn't listed).
Enable SCIM provisioning.
Enter the SCIM Base URL and API Token from Step 1.
Configure attribute mapping (see table below).
Enable provisioning features: Create Users, Update User Attributes, Deactivate Users.
Assign users or groups to the Modjo app to trigger provisioning.
IdP-specific guides
Okta
Go to Applications → Modjo → Provisioning.
Click Configure API Integration.
Enter the SCIM Base URL and token, then click Test API Credentials.
Enable: Create Users, Update User Attributes, Deactivate Users.
Under Attribute Mappings, map Okta attributes to Modjo SCIM attributes (see table below).
Assign users/groups to the Modjo app.
Azure AD (Entra ID)
Go to Enterprise Applications → Modjo → Provisioning.
Set Provisioning Mode to Automatic.
Enter the SCIM Base URL in Tenant URL and the token in Secret Token.
Click Test Connection, then Save.
Under Mappings, configure attribute mappings (see table below).
Set Provisioning Status to On.
Assign users/groups to the Modjo app.
Google Workspace
Go to Apps → Web and mobile apps → Add custom SCIM app.
Enter Modjo as the app name.
Enter the SCIM Base URL and token.
Map Google Workspace attributes to Modjo SCIM attributes (see table below).
Turn on provisioning and assign users/groups.
Step 3: Configure attribute mapping
Map your IdP attributes to Modjo's SCIM attributes. Below is the reference table:
Modjo SCIM Attribute | Required? | Description | Okta Default | Azure AD Default |
| ✅ Yes | User's email (must be unique) |
|
|
| ✅ Yes | First name |
|
|
| ✅ Yes | Last name |
|
|
| No | Full display name |
|
|
| No | Work phone number |
|
|
| No | Job title |
|
|
| No | User timezone (IANA format, e.g., |
|
|
| ✅ Yes | User status (true/false) |
|
|
Step 4: Assign users or groups
In your IdP, assign individual users or entire groups to the Modjo application.
Wait 5-10 minutes for the initial sync to complete.
Verify in Modjo (
Settings → Users) that the users have been created.
Best practices
Start with a pilot group: Assign a small test group (5-10 users) first to validate the configuration before rolling out to the entire organization.
Use groups for scalability: Assign groups (e.g., "Sales Team") instead of individual users to simplify management.
Monitor sync logs: Check your IdP's provisioning logs regularly to catch errors (duplicate emails, missing attributes, etc.).
Document your attribute mappings: Keep a reference document of your custom mappings for troubleshooting.
Combine SCIM with SSO: For a fully automated experience, enable both SCIM (provisioning) and SSO (authentication).
Limits and considerations
SCIM-provisioned users can only be offboarded via IdP: Once a user is created via SCIM, you cannot manually deactivate them in Modjo, you must unassign them in your IdP.
Roles, teams, and licenses remain manual: SCIM does not sync these attributes; you must configure them in Modjo after users are provisioned.
Email uniqueness: Duplicate emails will cause provisioning errors. Ensure all emails are unique before enabling SCIM.
Sync latency: Changes in your IdP (user creation, updates, deactivation) may take 5-15 minutes to reflect in Modjo, depending on your IdP's sync frequency.
Token security: If your SCIM token is compromised, regenerate it immediately in Modjo. This will invalidate the old token and require updating your IdP configuration.
Troubleshooting
404 error when testing SCIM connection
Verify that the SCIM Base URL is correct (https://api.modjo.ai/scim/v2) and that you copied it exactly as shown in Modjo (including the /scim/v2 path).
"User already exists" error
A user with the same email already exists in Modjo (created manually or via another method). Either delete the existing user in Modjo first, or exclude this user from SCIM provisioning in your IdP.
Users are created but not updated when I change attributes in my IdP
Ensure that Update User Attributes is enabled in your IdP's provisioning settings. Also check that the attributes you're changing are correctly mapped (see attribute mapping table).
Soft-deleted users in Azure AD are not deactivated in Modjo
Azure AD only sends deactivation events for hard-deleted users. Either hard-delete the user in Azure AD or manually unassign them from the Modjo app to trigger deactivation.
SCIM token expired or invalid
SCIM tokens do not expire automatically, but if you regenerated the token in Modjo, you must update it in your IdP. Go to your IdP's SCIM settings and paste the new token, then test the connection.
FAQ
Q: Can I use SCIM alongside manual user invitations?
A: Yes. You can mix SCIM-provisioned users and manually invited users in the same Modjo workspace. However, SCIM-provisioned users can only be offboarded via your IdP.
Q: What happens if I disable SCIM after provisioning users?
A: Existing SCIM-provisioned users will remain in Modjo, but they will no longer sync with your IdP. You'll need to manage them manually (deactivation, attribute updates) in Modjo.
Q: Does SCIM work with multiple Modjo workspaces?
A: Yes. Each Modjo workspace has its own SCIM token and configuration. You must set up SCIM separately for each workspace in your IdP.
Q: Can I assign Modjo roles (Admin, User, Analyst) via SCIM?
A: No. SCIM does not support role assignment. All SCIM-provisioned users are created with the default "User" role. You must manually assign roles in Modjo (Settings → Users).
Q: How do I know if a user was provisioned via SCIM?
A: In Modjo, go to Settings → Users. Users provisioned via SCIM will have a "SCIM" badge next to their name (visible to admins only).
See also