Best Practices from Oracle Development's A‑Team

How to bring Azure AD users and groups into IDCS



Any customer using Oracle IDCS with Azure AD as the IDP would want to automate the user and group provisioning process. When Azure AD acts as the IDP, the users are born in Azure AD or are brought into Azure AD from an on-premise repository like AD. Users of the Oracle SaaS or PaaS applications protected with IDCS can be authenticated by Azure AD by setting up the federation trust and user synchronization is a pre-requisite for SSO to work.

For user synchronization, one option is to use IDCS out of the box feature to pull all the Azure AD users/groups/memberships in. More details are available here.

Another option is to push the users/groups/memberships from Azure AD to IDCS. This option provides some flexibility in terms of which users/groups need to be provisioned/synchronized.

IDCS REST APIs comply with the System for Cross-domain Identity Management (SCIM), an open API standard for managing identities across vendors. Azure AD SCIM client can be configured to use this API to create/update/delete users and groups in IDCS.

This blog provides steps to configure this option.

Getting started

You will need -

1) Azure AD admin access to create/update the IDCS gallery application.

2) IDCS 19.2.1+ standard with administrator access to create a new client application.

IDCS Configuration Steps

The following steps show how to create a client application in IDCS which is used by Azure AD to manage users in IDCS.

1) Login to your IDCS  instance admin console and create a new confidential application.

Provide a name and click next.

Select Configure this application as a client now

Securely save the Client ID and Client Secret. This will be used later.

In Allowed Grant Types, select Client Credentials.


Add User Administrators role in Grant the client access to Identity Cloud Service Admin APIs 

Save and Activate the application.


Azure AD Configuration Steps

Microsoft now has a gallery application to integrate with IDCS and the latest configuration steps are available here.

Note:  Previously this section of the blog had instructions on setting up a non-gallery application but with an addition of a gallery application, the old instructions are no longer valid.


Automated user provisioning/synchronization between multi-cloud IAM services like Azure and Oracle is critical for delivering better security and user experience and I am hoping that anyone trying to implement this solution will benefit from this post. 

Join the discussion

Comments ( 3 )
  • John Tomlison Wednesday, May 6, 2020
    I just wanted to mention a "Unauthorized error that can occur if you do not use the proper options when encoding your clientID and Secret. The problem is that Azure requires the clientID and secret to be encoded with UTF-8 and "CRLF Windows" options. We were using the default encoding options of UTF-8 and LF-Unix.
  • Uday Monday, March 8, 2021
    Thanks for this Article. The difference between Gallery Application and Non-Gallery Application is really important as highlighted in this note.We encountered issue of Azure user's Active/Disabled status erring out with invalid attribute type with non Gallery Application in Azure.
  • Ahmed Hassan Tuesday, March 16, 2021
    Yes as John mentioned we must encode the clintID:Sectet usning CRLF Windows, that can be done using https://www.base64encode.org/
    copy current values and paste in this website and change destination new line separator to CRLF Windows
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha