Microsoft Entra ID SSO/SCIM email mismatch (original) (raw)
Claude uses email as the primary identifier to match SSO logins to provisioned seats. In Microsoft Entra ID, SCIM provisioning and SSO authentication are configured in separate places and can pull email from different user attributes—causing a mismatch that blocks access. This guide walks through how to identify the problem, fix the attribute mapping, and clean up any side effects.
Symptoms
People may experience one or more of the following when attempting to access your organization via SSO:
How this happens
Microsoft Entra ID user accounts have multiple email-like attributes that can hold different values. SCIM provisioning and SSO authentication are configured in separate admin areas and each can pull from a different attribute:
The mismatch occurs when SCIM pulls email from one attribute while SSO sends the email from another. Even a subtle difference blocks access—Claude requires an exact string match.
Common confusion: Entra has two separate admin areas. The SCIM provisioning app lives under Enterprise applications (Microsoft's term for integrated apps—unrelated to your Claude plan). The SSO/OIDC app lives under App registrations. IT admins frequently navigate to the wrong location.
Diagnostic steps
Step 1 — Confirm the mismatch
Step 2 — Identify the scope
Step 3 — Check the OIDC token claims (OIDC apps only)
Resolution
Fix the SCIM attribute mapping
Navigate to the SCIM provisioning app — not the SSO/OIDC app:
Trigger a full provisioning sync
Full sync required — incremental won't work. You must trigger a full restart of the provisioning cycle.
Post-fix cleanup
After correcting the attribute mapping and completing the full sync:
Verification
Common issues
When to contact Support
Contact our Support team with your organization's domain, the affected person's email, and attribute mapping screenshots when:
Related Articles
Google Workspace SSO/SCIM email mismatchOkta SSO/SCIM email mismatchOneLogin SSO/SCIM email mismatchPing Identity SSO/SCIM email mismatchMicrosoft Entra ID SSO setup