Azure AD Provisioning with SCIM

Keeper supports SAML 2.0 Authentication and SCIM provisioning with the Azure platform.

Keeper supports the ability to provision users and teams from Microsoft Azure AD or other identity platforms using the SCIM protocol. For customers that utilize Azure AD, users can be provisioned to the platform and automatically added to Teams for receiving Shared Folders. Keeper/Azure provisioning integration supports the following features:

  • Create users in Keeper

  • Updates user attributes (display name in Keeper)

  • Deletes users (locks users in Keeper)

  • Creates teams in Keeper (from Azure groups)

  • Adds or removes users to groups (to teams in Keeper)

When provisioning users, Azure AD is mapped to a single Keeper node. Azure creates users and groups in a pending state, new users will receive an email invitation prompting them to create a Keeper account.


To setup Keeper user provisioning with Azure AD, you need to have an access to the Keeper Admin Console and an Azure account.

Configuration Steps

1. Go to your Azure Admin account and go to Azure Active Directory > Enterprise Applications and click on "New Application". Search for Keeper and select Keeper Password Manager & Digital Vault. After adding the application, click on the "Provisioning" section and select the "Automatic" option.

Automatic Provisioning

In a separate window, you will retrieve the Tenant URL and Secret Token from the Keeper Admin Console.

2. From the Keeper Admin Console navigate to a node which should be synchronized with your Azure AD. Click Add Method.

3. Choose SCIM option and click Next. Click Create Provisioning Token.

4. Copy the values for URL and Token and paste them into Tenant URL and Secret Token fields in the Azure AD screen from step 1. Click Save to finish provisioning setup on the Keeper side.

Create Provisioning Method

5. Go back to the Azure AD screen and click Test Connection. If successful, save the credentials. Change Provisioning Status to On and save the provisioning settings.

6. Go to the Users and Groups section of the Keeper Azure AD app and assign users or groups from your Azure AD to the app. Wait for about 5 minutes and click the Sync button in the Admin Console. Verify that users appear under the Users tab.

When syncing groups for teams, they are not immediately created, they are put into a “Pending Queue” where they must be approved by the admin. See the section API Provisioning with SCIM.

The SCIM protocol is used for provisioning of users and teams, not for authentication. To enable automatic authentication with Azure AD using the SAML 2.0 protocol, follow the setup instructions in the Keeper SSO Connect Guide.