This guide explains how to set up JIT user provisioning with Microsoft Entra ID (formerly Azure AD) for Lowcoder.

**JIT Provisioning** automatically creates user accounts in Lowcoder when users authenticate via SSO for the first time. This eliminates the need for manual user creation or SCIM provisioning for basic SSO scenarios.

1. User clicks**"Sign in with Entra ID"** on Lowcoder login page

2. User authenticates with Microsoft Entra ID

3. Entra ID redirects back to Lowcoder with authentication details

4. Lowcoder automatically:

- Creates a new user account (if doesn't exist)

- Sets up the correct auth connection (Entra ID, not EMAIL)

- Adds user to the organization

- Logs user in

- Lowcoder instance running (self-hosted or cloud)

- Admin access to Lowcoder

- Microsoft Entra ID (Azure AD) tenant

- Admin access to Azure Portal

1. Go to[Azure Portal](https://portal.azure.com)

2. Navigate to**Azure Active Directory** →**App registrations**

3. Click**New registration**

4. Configure:

-**Name**:`Lowcoder SSO`

-**Supported account types**: Choose based on your needs

- Single tenant (most common for enterprise)

- Multi-tenant (if needed)

-**Redirect URI**:

- Platform:`Web`

- URI:`https://your-lowcoder-domain.com/api/auth/oauth2/callback`

5. Click**Register**

1. In your app registration, go to**API permissions**

2. Click**Add a permission**

3. Select**Microsoft Graph**

4. Choose**Delegated permissions**

5. Add these permissions:

6. Click**Add permissions**

7. Click**Grant admin consent** (if you have admin rights)

1. Go to**Certificates & secrets**

2. Click**New client secret**

3. Description:`Lowcoder SSO Secret`

4. Expires: Choose appropriate duration (12-24 months recommended)

5. Click**Add**

6.**IMPORTANT**: Copy the secret**Value** immediately (you won't see it again!)

From**Overview** page, note:

-**Application (client) ID**:`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`

-**Directory (tenant) ID**:`xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx`

1. Log in to Lowcoder as**admin**

2. Go to**Settings** →**Authentication** (or Admin panel)

3. Click**Add Authentication Provider**

Fill in the following details:

| Field| Value|

| --------------------------| ---------------------------------------------------------------------|

|**Provider Name**|`Entra ID` or`Azure AD`|

|**Auth Type**|`GENERIC` (Generic OAuth2)|

|**Client ID**|`<Application (client) ID from Azure>`|

|**Client Secret**|`<Client secret value from Azure>`|

|**Authorization Endpoint**|`https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize`|

|**Token Endpoint**|`https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token`|

|**User Info Endpoint**|`https://graph.microsoft.com/v1.0/me`|

|**Scope**|`openid profile email User.Read`|

|**Enable Registration**| ✅**TRUE** (This enables JIT provisioning!)|

Replace`{tenant-id}` with your actual tenant ID.

Set up how Entra ID user attributes map to Lowcoder user fields:

{

"uid":"id",

"username":"userPrincipalName",

"email":"mail",

"avatar":"photo"

}

Or if email field is sometimes null:

{

"uid":"id",

"username":"userPrincipalName",

"email":"userPrincipalName",

"avatar":"photo"

}

Click**Save** or**Enable** to activate the provider.

1.**Log out** from Lowcoder (if logged in)

2. Go to Lowcoder login page

3. You should see**"Sign in with Entra ID"** button

4. Click the button

5. You'll be redirected to Microsoft login

6. Enter credentials and authenticate

7. You'll be redirected back to Lowcoder

8.**User account is automatically created** ✅

As admin:

1. Go to**Settings** →**Members** or**Users**

2. You should see the newly created user

3. Check user details:

- Auth Source should be**"Entra ID"** (not EMAIL)

- Email should match the Entra ID account

- User should be active

If you need both SCIM provisioning AND SSO authentication:

- SCIM pre-provisions users (for compliance/audit)

- Users still authenticate via SSO

- JIT adds auth connection on first login

The updated`createSCIMUserAndAddToOrg` endpoint now:

1.**Creates a placeholder user** via SCIM (no auth connection)

2.**On first SSO login**, JIT provisioning adds the Entra ID auth connection

3.**Subsequent logins** work normally via SSO

1. In Azure Portal, go to your**Enterprise Application**

2. Navigate to**Provisioning**

3. Set**Provisioning Mode**:`Automatic`

4. Configure:

-**Tenant URL**:`https://your-lowcoder-domain.com/api/v1/organizations/{orgId}/scim/users`

-**Secret Token**: Your API token

5.**Mappings**: Map Azure AD attributes to SCIM attributes

6.**Save** and**Start Provisioning**

**Solution**:

- Verify the auth provider is**enabled** in settings

- Check that`enableRegister` is set to`true`

- Clear browser cache and reload

**Solution**:

- Verify Authorization, Token, and User Info endpoints are correct

- Check that tenant ID is properly replaced in URLs

- Verify client ID and secret are correct

**Solution**:

- This means SCIM endpoint was used with old code

- With updated code, SCIM creates placeholder users

- JIT adds correct auth connection on first SSO login

- Rebuild Docker image with the fix

**Solution**:

- This error occurs if trying to create EMAIL-based users when EMAIL auth is disabled

- Use SSO with JIT provisioning instead

- Don't use the old SCIM implementation that creates EMAIL users

1.**Client Secret**: Store securely, rotate regularly

2.**Redirect URI**: Must exactly match what's configured in Azure

3.**Scope**: Request minimum permissions needed

4.**Enable Registration**: Only enable if you want JIT provisioning

5.**Organization**: Configure which organization new users join

If you have multiple organizations:

- Configure separate OAuth providers per organization

- Or use organization domains to auto-assign users

To assign custom roles on JIT provisioning:

- Modify`AuthenticationApiServiceImpl.onUserLogin()`

- Add logic to check Entra ID groups/roles

- Map to Lowcoder roles accordingly

JIT-provisioned users are automatically verified since they authenticated via SSO.

| Feature| SCIM Provisioning| JIT Provisioning|

| --------------------| ----------------------------| ----------------------|

|**User Creation**| Pre-provisioned via SCIM| Created on first login|

|**Setup Complexity**| High| Low|

|**Auth Source**| EMAIL (with old code)| Correct SSO source|

|**Works with SSO**| Requires fix| ✅ Native support|

|**Audit Trail**| Full provisioning audit| Login-based audit|

|**Use Case**| Compliance, pre-provisioning| Simple SSO|

For most use cases:**Use JIT Provisioning** (simpler, works correctly with SSO)

For compliance requirements:**Use SCIM + JIT Combined** (with updated code)

-[Microsoft Entra ID OAuth2 Documentation](https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow)

-[Lowcoder Authentication Documentation](../../../workspaces-and-teamwork/oauth/)

-[Generic OAuth Provider Setup](../../../workspaces-and-teamwork/oauth/generic-oauth-provider.md)

**Just-In-Time (JIT) Provisioning** automatically creates user accounts when they first login via SSO. No manual user creation or SCIM needed!

✅**Simple** - Minimal configuration

✅**Secure** - Users authenticated via Entra ID

✅**Correct** - Proper auth source (not EMAIL)

✅**Fast** - Users created on first login

1. Go to[Azure Portal](https://portal.azure.com) →**App registrations** →**New registration**

2. Name:`Lowcoder SSO`, Redirect URI:`https://your-domain.com/api/auth/oauth2/callback`

3. Create a**Client Secret** (save the value!)

4. Add permissions:**API permissions** →**Microsoft Graph** →`User.Read`,`email`,`profile`,`openid`

5. Note your**Client ID** and**Tenant ID**

Login as admin →**Settings** →**Authentication** →**Add Provider**:

Provider Name:Entra ID

Auth Type:GENERIC

Client ID:<from Azure>

Client Secret:<from Azure>

Authorization Endpoint:https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/authorize

Token Endpoint:https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token

User Info Endpoint:https://graph.microsoft.com/v1.0/me

Scope:openid profile email User.Read

Enable Registration:✅ TRUE# ← This enables JIT!

"uid":"id",

"username":"userPrincipalName",

"email":"mail"

1. Logout from Lowcoder

2. Click**"Sign in with Entra ID"**

3. Authenticate with Microsoft

4. ✅ User automatically created and logged in!

No SCIM needed. No manual user creation. Users are provisioned automatically on first login with the correct authentication source.

If you need SCIM for compliance, see the full guide:[JIT_PROVISIONING_WITH_ENTRA_ID.md](./JIT_PROVISIONING_WITH_ENTRA_ID.md)

**Can't see "Sign in with Entra ID" button?**

- Check`Enable Registration` is ✅ TRUE

- Verify provider is enabled in settings

**Login fails?**

- Verify redirect URI matches exactly

- Check client ID and secret are correct

- Verify tenant ID in endpoints

For detailed documentation, see:[JIT_PROVISIONING_WITH_ENTRA_ID.md](./JIT_PROVISIONING_WITH_ENTRA_ID.md)