Skip to main content

Linking external user provisioning with Microsoft Entra

Written by Jèsel Broekema
Updated over a week ago

The information in this article applies only to a feature in the Compleet subscription.

Introduction

Users can be managed from Microsoft Entra. If users already exist in Zenvoices, they will automatically be linked with the users in Microsoft Entra based on the unique email address. In both scenarios they will be managed from Microsoft Entra.

Please note: the Admin user is a fixed user with all administrator rights in Zenvoices and is not linked with Microsoft Entra.

This guide describes the following steps:

A. Connection between Microsoft Entra and Zenvoices

B. Set permissions for Microsoft Entra

C. Link roles

D. Assign Microsoft Entra users to the Zenvoices roles

It is recommended to keep the following two tabs open in the web browser:
Microsoft Entra: Applications
Zenvoices: Beheer / Omgeving / Instellingen / tab Microsoft Entra ID

A Connection between Microsoft Entra and Zenvoices

With the following steps a connection is created between Microsoft Entra and Zenvoices so that users can be managed from Microsoft Entra.

Add Zenvoices application

  1. Navigate in Microsoft Entra to Applications / Enterprise applications / button: 'New application' / button: Create your own application

  2. Enter the name in the field 'What's the name of your app?'
    For this guide the example name is: Zenvoices SCIM

  3. Select the last option: 'Integrate any other application you don’t find in the gallery (Non-gallery)'

  4. Confirm this with the button 'Create' at the bottom

Please note: Zenvoices IMAP may be suggested, this should be ignored

Copy Redirect URIs to Zenvoices

  1. Navigate in Microsoft Entra to Applications / App registrations / button: 'View all applications in the directory'

  2. Select the newly created application (in this example: 'Zenvoices SCIM')

  3. Copy the data from the field Application (client) ID and save it (for example in Notepad)

  4. Do the same for the data from the field Directory (tenant) ID

  5. Open Zenvoices in another browser tab and navigate to
    Beheer / Omgeving / Instellingen / tab Microsoft Entra ID

  6. Paste the data from step 3 into the field Application ID (client id)

  7. Paste the data from step 4 into the field Directory ID (tenant id)

Add client credentials

  1. Return to Microsoft Entra and choose Add a certificate or secret in the top right

  2. Then choose New client secret and enter a name in the field Description, for example: Demonstration

  3. Select an expiration date in the field Expires (required field)
    Please note: keep track of the selected date so the secret can be renewed before it expires.

  4. Confirm this with the button 'Add' at the bottom

  5. Copy the data from the field Value

  6. Open the Zenvoices tab again and paste this data into the field Client secret and choose 'Save all' in the top right

Create Redirect URIs

  1. Navigate in Microsoft Entra to Applications / App registrations / button: 'View all applications in the directory'

  2. Select the newly created application (in this example: 'Zenvoices SCIM')

  3. Choose Overview at the top left and then Add a Redirect URI on the right

  4. Choose Add a platform and then Web

  5. Enter the following Redirect URL:

    https://app.zenvoices.com/Entra/ExternalLoginCallback

  6. Confirm at the bottom with the button Configure

B: Set permissions for Microsoft Entra

With the following steps it is configured that Microsoft Entra users can log in to Zenvoices.

  1. Navigate in Microsoft Entra to Applications / App registrations / API permissions

  2. On this page choose Add a permission / Microsoft Graph

  3. Choose the button Delegated permissions

  4. Search in the field 'Select permissions' for: 'User.Read'

  5. Expand the User dropdown and select the field 'User Read'

  6. Choose the button 'Add permissions' at the bottom

  7. Choose 'Grant admin consent [company name]' and choose YES

Please note: step 7 can only be performed by the Admin user. In the Status column confirmation is shown with a green check mark together with 'Granted for [company name]'.

C Link roles

With the following steps the roles between Zenvoices and Microsoft Entra are matched.

  1. Navigate in Microsoft Entra to Applications / App registrations / button View all applications in the directory

  2. Select the newly created application (in this example: Zenvoices)

  3. Choose 'App roles' in the submenu on the left and then 'Create app role' at the top

  4. Open Zenvoices in another browser tab and navigate to Beheer / Omgeving / Rollen

  5. Add the roles from Zenvoices in Microsoft Entra (see image). The role name from Zenvoices must exactly match the field Value in Microsoft Entra.

  6. Select the field 'User/Groups' under Allowed member types

  7. Select the field 'Do you want to enable this app role'

  8. Choose 'Apply' at the bottom to assign the role mapping

  9. Refresh the page after the last role has been assigned

Left: the roles in Zenvoices — right: the roles in Microsoft Entra

Please note:

  • It is possible to create groups containing roles. For example: in the field Display name 'Name of the end customer' and in the field Value the roles 'Uploader,Authorizer'.

  • Roles may not contain spaces. Roles are separated using a comma (the role in Zenvoices can be edited using the pencil icon).

  • Any text may be entered in the field Description. For example: User who uploads documents.

Admin credentials

With the following steps Microsoft Entra is configured to send information to Zenvoices.

  1. Navigate to Identity / Applications / Enterprise applications / choose from the list (in this example: 'Zenvoices SCIM') / Provisioning

  2. Choose Connect your application at the Create configuration button on the right

  3. Enter the following in the field Tenant URL:
    https://app.zenvoices.com/api/scim/entra/

  4. This URL must end with the Zenvoices environment ID. Open Zenvoices in another browser tab and navigate to Beheer / Omgeving / Instellingen / tab Microsoft Entra ID and check the field Zenvoices environment ID. The URL will then look like:
    https://app.zenvoices.com/api/scim/entra/1234

  5. Scroll in Zenvoices to SCIM Access key and choose Generate access key. Copy the key that appears (note: this is shown only once).

  6. Paste this key into Microsoft Entra in the field Secret code.

  7. Then choose Save at the bottom in Microsoft Entra (refresh the Zenvoices browser tab).

Adjust the data format sent to Zenvoices

  1. Continue from the previous screen and choose Attribute mapping (Preview) in the menu on the left

  2. Check whether Provision Microsoft Entra ID Groups is set to No (because in Zenvoices roles exist separately instead of in a group).
    If it is set to Yes, click the row and change it to No

  3. Refresh the page

  4. When it appears as in the image below, choose Provision Microsoft Entra ID Users

  5. Delete the following rules using the Delete button

    • displayName

    • title

    • name.formatted

    • All rules starting with: addresses

    • All rules starting with: phoneNumbers

    • All rules starting with: urn.ietf:params:scim:schemas:extension

  6. Choose Save in the top left

  7. Select Edit for the rule externalID

  8. Change the Source attribute field to ObjectID and choose OK at the bottom

  9. Choose Save in the top left

  10. Refresh the page

Roles

Please note: follow the steps below in the specified order so you can continue without interruption (especially steps 8, 9 and 10).

  1. Choose Add New Mapping at the bottom left to expand the list

  2. Choose Edit attribute list for customappsso

  3. Scroll down to add a new row and enter the following value in the next empty field: roles

  4. Check the third checkbox (column: Multi-Value)

  5. Choose Save in the top left

  6. Refresh the page

  7. Choose App again at the bottom left

  8. Change the Mapping type field to Expression

  9. The Expression field opens, enter the following value:
    AssertiveAppRoleAssignmentsComplex([appRoleAssignments])

  10. Change the Target attribute field to roles

  11. Choose OK at the bottom

  12. Choose Save in the top left

D Assign Microsoft Entra users to the Zenvoices roles

Follow the steps below in Microsoft Entra for all users. If users have the same roles this can be done in bulk.

  1. Navigate to Identity / Applications / Enterprise applications / select (in this example: 'Zenvoices SCIM')

  2. Choose the button 1. Assign users and groups

  3. Choose Add user/group at the top left

  4. Choose None selected under Users

  5. In the next step select the role, select the user(s) who should receive that role

  6. Confirm by choosing Select at the bottom

  7. Choose None selected under Select a role

  8. Choose the role(s) that should be assigned to the users selected in step 5

  9. Confirm by choosing Select and then Assign

  10. Synchronize with Zenvoices by choosing Overview at the top and then Start provisioning

Please note:

  • If error messages occur the page must be refreshed (this occurs because new roles are created).

  • If a user appears twice in the user overview with the role description Default Access, this entry can be selected and removed.

  • If groups have been created in Microsoft Entra they can also be selected.

Points of attention

  • Users are managed from Microsoft Entra; only environment settings of Zenvoices are managed in Zenvoices, such as language settings and notifications.

  • Administration rights are managed from Zenvoices. See this related article for more information.

  • When linking with existing users (matching the email address), the username is changed to the email address.

  • When linking with existing users in Zenvoices, Microsoft Entra becomes leading.

  • After activation it is only possible to log in using the button 'Microsoft Entra'.

  • Synchronization occurs every 40 minutes. This can also be done manually in Microsoft Entra. Navigate to Identity / Applications / Enterprise applications / choose (in this example: 'Zenvoices SCIM') / Assign users and groups / Overview / Start provisioning.

  • A user must be removed both in Microsoft Entra and Zenvoices. When the user is removed in Microsoft Entra, the user in Zenvoices will automatically be set to inactive.

Update: 22 December 2025

The configuration is still performed manually because Zenvoices is waiting for Microsoft to add Zenvoices SCIM to their system. To maintain security it is mandatory to add the SCIM access key from Zenvoices to Microsoft Entra. Follow the steps below:

Zenvoices:

  • Navigate to Beheer / Omgeving / Instellingen / tab: Microsoft Entra ID

  • Click the button Generate access key. Copy the key (note: it is shown only once).

Microsoft Entra:

  • Navigate to Identity / Applications / Enterprise applications / select (in this example: 'Zenvoices SCIM') / Provisioning

  • Paste the copied key from Zenvoices into the field Secret code in Microsoft Entra.

  • Then choose Save at the bottom in Microsoft Entra (refresh the Zenvoices browser tab).

Related Articles
Consult invoices/receipts from Twinfield
Users
Link Okta to your Zenvoices environment
Connecting your own email account
Connecting with Microsoft Dynamics 365 Business Central
Did this answer your question?