# SCIM Provisioning - Microsoft Entra ID

Here's how you can set up user provisioning with SCIM with Microsoft Entra ID.

## Single Sign On (SSO) vs. provisioning

If you're using an external directory to manage your users then there are 2 distinct capabilities to enable:

* Setting up SSO to allow your users to log in using the credentials that you configured in your directory
* Setting up provisioning (this guide) to be able to control the list of users and roles that have access to Tability from your directory.

## Before: enable SAML SSO in Microsoft Entra ID

Complete the steps in the [SAML SSO - Microsoft Entra ID](/docs/become-a-tability-power-user/features/security-and-admin/saml-sso-microsoft-entra-id.md) guide to add a new Tability application in your Entra ID service.

## Part 1: Getting your SCIM base URL and auth token from Tability

1. Sign in to Tability with an admin account
2. Open up the admin section and go to **SSO & Provisioning**

At the bottom of the page you will find the **SCIM authentication token** and the **SCIM base URL** that you will need later to configure Okta.

<figure><img src="/files/ERnIrXnYoIotJRWoelzZ" alt=""><figcaption></figcaption></figure>

## Part 2: Setting up provisioning in Entra ID

1. Sign in to Microsoft Azure
2. Go to **Microsoft Entra ID** > **Enterprise Applications** > **\<your Tability application>**
3. Click on **Manage** > **Provisioning** in the menu of your applicaiton<br>

   <figure><img src="/files/9dinYfDOncAEJKLNPfU0" alt="" width="563"><figcaption></figcaption></figure>
4. Click on **Connect your application**
5. Use the following settings to complete your connection
   1. **Tenant URL:** copy the SCIM base URL from Tability
   2. **Secret Token:** add the SCIM authentication token from Tability
6. Click **Test Connection**.

   <figure><img src="/files/kJt0WuM1Drktm2S0Urtz" alt="" width="563"><figcaption></figcaption></figure>
7. Once the connection is validated click **Create** to complete the setup

## Part 3: Provisioning configuration

Click on **Manage > Provisioning** to access the provisioning configuration of the Entra ID application for Tability.

<figure><img src="/files/eU1lekmz8Y76oge6ptiE" alt="" width="563"><figcaption></figcaption></figure>

### Configure users mapping

1. **Click on Mappings > Provision Microsoft Entra ID Users**
2. Make sure that the following Attribute Mappings are configured

| Application attribute | Microsoft Entra ID attribute                                 |
| --------------------- | ------------------------------------------------------------ |
| userName              | userPrincipalName                                            |
| active                | Switch(\[IsSoftDeleted], , "False", "True", "True", "False") |
| name.givenName        | givenName                                                    |
| name.familyName       | surname                                                      |
| externalId            | objectId                                                     |

### Enable provisioning

At the bottom of the Provisioning settings, make sure the the **Provisioning Status** is set to **On**.

## Part 4: Creating the groups

Tability uses virtual named group to automatically map user roles to the group they belong to.

### Creating the groups to manage assignments

Create the corresponding groups in your Tability Enterprise Application.

Go to **Groups** in your Microsoft Azure portal.

&#x20;Here are the 4 groups that you need to create

* **Tability Owners:** list of people that should have the owner role in the workspace (they can control all the settings, including the subscription).
* **Tability Admins:** list of users with the admin role
* **Tability IT Admins:** list of users with the IT admin role
* **Tability Users:** anyone who should be a regular user of Tability
* **Tability Readonly:** list of users that should have read-only access to Tability

Once your groups are created, you can assign them to the Tability application in Entra ID.

1. Go to **Microsoft Entra ID > Enterprise Applications > \<your Tability application> > Provisioning**
2. Go to the **Manage > Users and groups**

![](/files/a34RdPGqcsSLg2uKzE01)

3. Click on **Add user/group**
4. Select the group `Tability Owners`
5. Repeat this process with the other groups. At the end you should have the following mapping with the roles assigned.

<figure><img src="/files/urIPluWLpVYI6NW5INCE" alt=""><figcaption></figcaption></figure>

## Part 5: Assigning users

That's it! You can now add users to the different Tability groups and they will be added to Tability with the right set of permission.

<figure><img src="/files/UcDwRsSzF7yMFJp56t8g" alt=""><figcaption></figcaption></figure>

{% hint style="danger" %}
Please note that Entra ID provisioning is performed every 40 minutes so you might have to wait a bit before the first set of user is synced.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://guides.tability.io/docs/become-a-tability-power-user/features/security-and-admin/scim-provisioning-microsoft-entra-id.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.