Overview
With Microsoft Entra ID login, users no longer need separate Cinode passwords—they sign in using their Entra ID credentials for seamless, secure access.
By enabling Single Sign-On (SSO) and two-factor authentication (2FA) through Entra ID, your organisation benefits from streamlined user management, enhanced security, and improved integration across systems.
When User Provisioning is configured, employee accounts are automatically created, updated, or deactivated in Cinode based on Entra ID—removing the need for manual user administration.
Benefits of Using Entra ID with Cinode
🔒 Enhanced Security and Compliance
Entra ID offers advanced protection features such as multi-factor authentication, conditional access, and audit logging, ensuring secure and compliant identity management.
⚙️ Streamlined User Management
Centralised identity management and automated provisioning simplify user onboarding and offboarding, reducing administrative workload.
🚀 Improved User Experience and Integration
SSO provides users with consistent access to Cinode and other Microsoft services using a single set of credentials.
Prerequisites
Before getting started, ensure you have:
An active Microsoft Entra ID (Azure AD) tenant
A Cinode account with Administrator rights
Appropriate permissions in Entra ID (Application Administrator, Cloud Application Administrator, Application Owner, or Global Administrator)
The Entra ID SSO add-on enabled in your Cinode plan (contact Cinode Support to activate)
Setting Up Entra ID Single Sign-On (SSO)
Entra ID SSO is a paid add-on to your current Cinode plan. Let us know and we'll help you enable this functionality. To set up the integration, you need to be an Administrator in Cinode and Entra ID.
Step 1: First set up - how to do it
Start by approving the Cinode application in Entra ID. Set up SSO for one test user, then log in to Cinode via SSO to confirm the setup.
The user configuring the integration must have the Admin and API roles in Cinode.
Step 2. Add Entra ID as a Login Type in Cinode
In Cinode, go to Administration → Integrations.
Open the Account types tab.
Click Activate new account type.
Select Aad from the dropdown and click Save.
You’ll now see Entra ID (Aad) listed as an active account type.
On the Integrations page, select the tab Account types.
Step 3. Configure SSO for Each User
You can mix login methods—some users can log in via password, others via SSO. In such cases, add both Aad and Password as account types.
When AAD login type is enabled, the SSO must be set for the user. This is done by adding the unique user identifier (Object ID) from your Entra ID to each user account in Cinode. Once you have retrieved the Object ID for your user from
For each user who will log in via Entra ID:
Retrieve the user’s Object ID from Entra ID.
In Cinode, go to Administration → Users.
Open the options menu (three vertical dots) for the user.
Select Edit login type → choose Aad.
Finally, add the unique ObjectID that you retrieved from Entra ID related to the specific user in the "Object Identifier" field:
Enter the Object ID in the Object Identifier field and save.
Log out of Cinode and sign in again using SSO to confirm access.
When done, log out of Cinode and log in via SSO as the same user.
Approve the Cinode application in Entra ID. If you lack admin rights, send a request to your Entra admin to approve it.
Configure Cinode to support provisioning with Azure AD
Once SSO is configured, you can enable automatic user provisioning using the SCIM 2.0 protocol. This synchronises users, teams, and roles between Entra ID and Cinode.
Preparations & Prerequisites:
The scenario outlined in this tutorial assumes that you already have the following prerequisites:
A user account in Azure AD with permission to configure provisioning (for example, Application Administrator, Cloud Application Administrator, Application Owner, or Global Administrator).
A user account in Cinode with administrator rights.
Capabilities supported
✅ Create users in Cinode
✅ Disconnect users in Cinode when they no longer require access
✅ Keep user attributes synchronized between Entra ID and Cinode
✅ Provision Security groups to team memberships in Cinode
✅ Provision Permission level (Roles) to Cinode via Security groups
Step 1. Plan your provisioning deployment
You can learn about how the provisioning service works.
Could you determine who will be in scope for provisioning?
Determine what data to map between Azure AD and Cinode.
Step 2. Configuration in Cinode to support provisioning with Entra ID
Sign in to Cinode with a user account that has Administrator rights. Navigate to Administration.
Navigate to Integrations -> Tokens
Choose “create a new SCIM token” in Cinode (image below)
Enter an appropriate name and expiry date, such as one year ahead. Note that when this date expires, the integration will no longer work, so we recommend creating a reminder.
Click Create token.
Copy the Tenant URL and the Token. You will enter these values in the Provisioning tab of your Cinode application in the Entra portal.
Step 3. In Entra ID: Add Cinode from the Enterprise application gallery
Add the Cinode app via Enterprise Applications to start managing provisioning to Cinode. You can use the same application if you have previously set up Cinode for SSO. However, it is recommended to create a separate app when initially testing the integration. Learn more about adding an application from the gallery here.
Step 4. Define who will be in scope for provisioning
The Entra ID provisioning service lets you determine who will be provisioned based on application assignment and/or user/group attributes. To scope provisioning based on assignment, you can follow these steps to assign users and groups to the application. When syncing Security groups to Cinode, they are automatically created as new teams. You can also map them to existing teams for flexibility.
Configure a scoping filter to restrict provisioning to specific users or groups based on attributes. Read more
When assigning users and groups to Cinode, select a role other than Default Access. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only available role is Default Access, update the application manifest to add additional roles.
Start small by testing with a limited group of users and groups before rolling out to everyone. When the scope for provisioning is set to assigned users and groups, you can control this by assigning one or two users or groups to the app. If the scope is set to all users and groups, you can specify an attribute-based scoping filter attribute based scoping filter.
Step 5. How to set up User Provisioning in Microsoft Entra
This section guides you through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users and/or groups in Microsoft Entra.
To configure automatic user provisioning for Cinode in Azure AD:
Sign in to the Entra portal. Select Enterprise Applications, then select All Applications.
In the applications list, select Cinode.
Select the Provisioning tab.
Set the Provisioning Mode to Automatic.
Under the Admin Credentials section, input the SCIM 2.0 base URL and Authentication Token values retrieved earlier in Cinode.
Click Test Connection to ensure Microsoft Entra can connect to Cinode. If the connection fails, ensure your Cinode account has Admin permissions and try again.
In the Notification Email field, enter the email address of a person or group who should receive the provisioning error notifications and select the Send an email notification when a failure occurs check box.
Select Save.
Mapping attributes
You can sync attributes from Microsoft Entra to Cinode.
Under the Mappings section, select Synchronize Azure Active Directory Users to Cinode.
Review the user attributes synchronized from Microsoft Entra to Cinode in the Attribute-Mapping section. The attributes selected as Matching properties match the user accounts in Cinode for update operations. If you choose to change the matching target attribute, you must ensure that the Cinode API supports filtering users based on that attribute.
Select the Save button to commit any changes.
Attribute | Type | Cinode name |
userName | String | username |
name.givenName | String | first name |
name.familyName | String | last name |
externalId | String | externalId |
active | Boolean | status |
title | String | title (admin setting) |
addresses[type eq "work"].locality | String | location |
phoneNumbers[type eq "work"].value | String | phone |
urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:EmployeeNumber | String | employmentNumber |
urn:ietf:params:scim:schemas:extension:Cinode:User:1.0:EmploymentStartDate | DateType | employmentStartDate |
urn:ietf:params:scim:schemas:extension:Cinode:User:1.0:EmploymentEndDate | DateType | employmentEndDate |
The "Convert accounts to AAD" attribute allows you to link existing users in Cinode to their Microsoft Entra accounts by matching their email addresses. Please note that you must update the "externId" attribute to apply this mapping successfully.
The setting Apply this mapping needs to be set to ALWAYS
The "Overwrite name of team with DisplayName of group" attribute means that when provisioning teams via security groups in Cinode, the team name can be overwritten with the DisplayName of the corresponding group in Microsoft Entra.
Add new attributes
The option Show advanced attributes allow you to add new attributes such as Phone number, Start and end date, etc.
Use the attribute names in the table to add new target attributes.
When the target attribute is added, Add a new Attribute mapping:
Provision Teams, Roles and Team Managers to Cinode via Security groups
It is possible to provision teams, roles, and team managers in Cinode using security groups. These security groups can also be dynamic, enabling flexible and automated management.
Select Synchronize Azure Active Directory Groups to Cinode under the Mappings section.
In the Attribute-Mapping section, review the group attributes that are synchronized from Azure AD to Cinode. The attributes selected as Matching properties are used to match the groups in Cinode for update operations. Select the Save button to commit any changes.
Attribute | Type |
displayName | String |
externalId | String |
members | Reference |
Please take a look at the instructions in the Scoping filter tutorial to configure scoping filters.
Map the Security groups in Cinode as teams, team managers, and roles:
You can add an employee to the right team with the proper permission level, with Entra as the master.
To map team managers to teams in Cinode, follow the same process as for teams. This requires creating a security group for each manager.
Similarly, the mapping for roles (user, manager, partner manager, recruiter, administrator) can be done using security groups for each role.
Set your default role mapping
By selecting a default mapping, you define the role assigned to each user when they are added to Cinode. Additional roles can be assigned through mapped security groups or manually to Cinode.
The most common approach is assigning the user role to all users by default, especially if role mapping via security groups is not utilized.
Step 6. Test the integration
To test the integration, try provisioning on demand for a user. If the user already exists in Cinode - the login credentials will be changed. You can see it by checking the login type.
If the objectID is imported to the user - the provisioning is working:
If you provision a new user - the user will be visible in Cinode.
In the Settings section, change the Provisioning Status to On to enable the Microsoft Entra provisioning service for Cinode.
In the Settings section, select the desired values in Scope to define the users and/or groups you would like to provision to Cinode.
This operation starts the initial synchronization cycle of all users and groups defined in Scope in the Settings section. The initial cycle takes longer than subsequent cycles, which occur approximately every 40 minutes as long as the Azure AD provisioning service runs.
What information is sent during creation?
In the first step, only basic information such as first name, last name, and email address is sent during creation (create). Anything referred to as 'extension' or similar is considered extended information and is not sent initially. For example, 'Employee ID' is not considered basic information; it is an extension and is transferred in a later cycle. For more details about SCIM, please refer to the documentation on GitHub: https://github.com/cinode-labs/docs-scim, which outlines the integration used by Entra when communicating with us.