According to this:
If the SCIM endpoint requires an OAuth bearer token from an issuer other than Microsoft Entra ID, then copy the required OAuth bearer token into the optional Secret Token field. If this field is left blank, Microsoft Entra ID includes an OAuth bearer token issued from Microsoft Entra ID with each request. Apps that use Microsoft Entra ID as an identity provider can validate this Microsoft Entra ID-issued token.
It’s not recommended to leave this field blank and rely on a token generated by Microsoft Entra ID. This option is primarily available for testing purposes.
Why is it not recommended? Validating a token generated by microsoft is a lot easier and less error prone than having to generate and validate one myself. And I can just use the JWT’s issuer to identify where the tenant is coming from, I think.
Max Hay is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.