Make SCIM zero trust

The current implementation of SCIM relies on a bearer token that has to be refreshed manually. For sensitive data, a common advice is to refresh a bearer token each 15 minutes. For some organizations the manual labour involved in frequently changing the bearer token is too costly. Those organizations might choose for a less frequent bearer token renewal, which would add security risk. Other organizations might decide not to use SCIM, and seek other solutions to sync users.

The idea is to make SCIM zero trust.
There are several measures to consider, like OAuth (for refreshing tokens) and mTLS.

Please deliver guidelines to implement zero trust.
We need a guideline how to set up zero trust between Entra ID and ARIS.