Under the **Admin Credentials** section of the **Provisioning** feature, fill out the form as follows:
* **Tenant URL**: `https://api.pulumi.com/scim/v2/{orgName}`, where `{orgName}` must be replaced with your organization’s login name (not display name). If you do not know this, navigate to your SAML settings and look at the SSO URL. It will have your organization’s login name in the URL.
* **Secret Token**: You will use a token from the [Pulumi Cloud](https://app.pulumi.com) as the authorization bearer token. To generate a token, navigate to your org in the Pulumi Cloud, select **Settings**, then **Access Management**, and then in the **SCIM** section, generate a new token if you have never generated one for your org or regenerate it if you have already done so in the past.
Once you generate the token, save it securely. Neither the Pulumi Cloud nor Pulumi support can retrieve a token once it's been initially generated. If you lose and need the SCIM token again, you'll have to generate a new token, invalidating any previous tokens for your Pulumi organization.
Update the mapping for the **userName** attribute to be sourced from **mailNickname** instead of **userPrincipalName**. In the **Mappings** expansion panel, click **Provision Azure Active Directory _Users_** and then click on the corresponding attribute mapping as shown below.
In the configuration window, change the value of the **Source attribute** drop-down to **mailNickname**.
Delete all attributes **except** for the following using the **Delete** button:
* userName
* active
* displayName
* emails[type eq "work"].value
* name.givenName
* name.familyName
### Set The Emails Attribute To Required
In the user attribute mappings editor, scroll-down and click the **Show advanced options** checkbox and then the **Edit attribute list for customappsso** link.
You are now done with the Mappings configuration. Click **Save** and close the child windows/blades until you get back to the main **Provisioning** window where you can see the **Provisioning Status** drop-down.
To enable the provisioning of Azure AD groups to Pulumi Cloud, select **Edit Provisioning** and then select the **Provision Azure Active Directory Groups** setting under the **Mappings**
expansion panel and switch the **Enabled** setting to **Yes**.
### Update Group Attribute Mappings
Scroll-down to the Attribute Mappings section while you are editing the group provisioning setup and remove the mapping
between `objectId` and `externalId`. Click **Save** once you are done.
## Enable Provisioning
Under the **Settings** expansion panel, the **Scope** drop-down should be set to **Sync only assigned users and groups**. This ensures that only the users who are assigned to this application are synced with Pulumi, and not everyone in your Azure Active Directory.
Set the **Provisioning Status** to **On** and then click **Save**.
## Assign Users and/or Groups
You must assign users to the Azure AD enterprise application to have them provisioned with an account in Pulumi. Click on the **Users and groups** feature in the left nav, and assign users and/or groups to the application by searching for them.
{{% notes "info" %}}
If you did not enable group provisioning while you were editing the provisioning setup, click on **Edit Provisioning** and enable the **Provision Azure Active Directory Groups** setting as well under the **Mappings** expansion panel.
{{% /notes %}}
Review the **Provisioning logs** to ensure there were no errors while provisioning the users. It may take a few minutes for logs to appear. If there were validation errors, you can correct them and try again, or contact Pulumi for support.
