Back to the appWebsiteAPILegal

SCIM Provisioning - Microsoft Entra ID

Here's how you can set up user provisioning with SCIM with Microsoft Entra ID.

Single Sign On (SSO) vs. provisioning

If you're using an external directory to manage your users then there are 2 distinct capabilities to enable:

  • Setting up SSO to allow your users to log in using the credentials that you configured in your directory

  • Setting up provisioning (this guide) to be able to control the list of users and roles that have access to Tability from your directory.

Before: enable SAML SSO in Microsoft Entra ID

Complete the steps in the SAML SSO - Microsoft Entra ID guide to add a new Tability application in your Entra ID service.

Part 1: Getting your SCIM base URL and auth token from Tability

  1. Sign in to Tability with an admin account

  2. Open up the admin section and go to SSO & Provisioning

At the bottom of the page you will find the SCIM authentication token and the SCIM base URL that you will need later to configure Okta.

Part 2: Setting up provisioning in Entra ID

  1. Sign in to Microsoft Azure

  2. Go to Microsoft Entra ID > Enterprise Applications > <your Tability application>

  3. Click on Manage > Provisioning in the menu of your applicaiton

  4. Click on Connect your application

  5. Use the following settings to complete your connection

    1. Tenant URL: copy the SCIM base URL from Tability

    2. Secret Token: add the SCIM authentication token from Tability

  6. Click Test Connection.

  7. Once the connection is validated click Create to complete the setup

Part 3: Provisioning configuration

Click on Manage > Provisioning to access the provisioning configuration of the Entra ID application for Tability.

Configure users mapping

  1. Click on Mappings > Provision Microsoft Entra ID Users

  2. Make sure that the following Attribute Mappings are configured

Application attribute
Microsoft Entra ID attribute

userName

userPrincipalName

active

Switch([IsSoftDeleted], , "False", "True", "True", "False")

name.givenName

givenName

name.familyName

surname

externalId

objectId

Enable provisioning

At the bottom of the Provisioning settings, make sure the the Provisioning Status is set to On.

Part 4: Creating the groups

Tability uses virtual named group to automatically map user roles to the group they belong to.

Creating the groups to manage assignments

Create the corresponding groups in your Tability Enterprise Application.

Go to Groups in your Microsoft Azure portal.

Here are the 4 groups that you need to create

  • Tability Owners: list of people that should have the owner role in the workspace (they can control all the settings, including the subscription).

  • Tability Admins: list of users with the admin role

  • Tability Users: anyone who should be a regular user of Tability

  • Tability Readonly: list of users that should have read-only access to Tability

Once your groups are created, you can assign them to the Tability application in Entra ID.

  1. Go to Microsoft Entra ID > Enterprise Applications > <your Tability application> > Provisioning

  2. Go to the Manage > Users and groups

  1. Click on Add user/group

  2. Select the group Tability Owners

  3. Repeat this process with the other groups. At the end you should have the following mapping with the roles assigned.

Part 5: Assigning users

That's it! You can now add users to the different Tability groups and they will be added to Tability with the right set of permission.

Please note that Entra ID provisioning is performed every 40 minutes so you might have to wait a bit before the first set of user is synced.

Last updated

Was this helpful?