Back to the appWebsiteAPILegal

SCIM Provisioning - Microsoft Entra ID

Here's how you can set up user provisioning with SCIM with Microsoft Entra ID.

Single Sign On (SSO) vs. provisioning

If you're using an external directory to manage your users then there are 2 distinct capabilities to enable:

  • Setting up SSO to allow your users to log in using the credentials that you configured in your directory

  • Setting up provisioning (this guide) to be able to control the list of users and roles that have access to Tability from your directory.

Before: enable SAML SSO in Microsoft Entra ID

Complete the steps in the SAML SSO - Microsoft Entra ID guide to add a new Tability application in your Entra ID service.

Part 1: Getting your SCIM base URL and auth token from Tability

  1. Sign in to Tability with an admin account

  2. Open up the admin section and go to SSO & Provisioning

At the bottom of the page you will find the SCIM authentication token and the SCIM base URL that you will need later to configure Okta.

Part 2: Setting up provisioning in Entra ID

  1. Sign in to Microsoft Azure

  2. Go to Microsoft Entra ID > Enterprise Applications > <your Tability application>

  3. Click on Manage > Provisioning in the menu of your applicaiton

  4. Click on Connect your application

  5. Use the following settings to complete your connection

    1. Tenant URL: copy the SCIM base URL from Tability

    2. Secret Token: add the SCIM authentication token from Tability

  6. Click Test Connection.

  7. Once the connection is validated click Create to complete the setup

Part 3: Provisioning configuration

Click on Manage > Provisioning to access the provisioning configuration of the Entra ID application for Tability.

Disabling groups mapping

First you will need to disable groups mapping as Tability does not have groups (you will still be able to assign users via Entra ID groups, but Entra ID groups won't be recreated inside of Tability).

  1. Click on Mappings > Provision Microsoft Entra ID Groups

  2. Select No for the Enabled attribute

  3. Save to complete the change

Configure users mapping

  1. Click on Mappings > Provision Microsoft Entra ID Users

  2. Make sure that the following Attribute Mappings are configured

Application attribute
Microsoft Entra ID attribute

userName

userPrincipalName

active

Switch([IsSoftDeleted], , "False", "True", "True", "False")

name.givenName

givenName

name.familyName

surname

externalId

objectId

  1. Click on Add New Mapping at the bottom of the table to add the userType mapping

  2. Create a new mapping with the following values

    1. Mapping type: Expression

    2. Expression: SingleAppRoleAssignment([appRoleAssignments])

    3. Default value if null: user

    4. Target attribute: userType

    5. Match objects using this attribute: No

    6. Apply this mapping: Always

Enable provisioning

At the bottom of the Provisioning settings, make sure the the Provisioning Status is set to On.

Part 4: Creating the groups and mapping the roles

You can use App roles to facilitate the management of user roles via Microsoft Entra ID.

Creating the App roles

  1. In your Microsoft Azure portal, go to Microsoft Entra ID > App registrations > <your Tability application>

  2. Click on Manage > App roles

  3. Create 4 new app roles

Display name
Allowed member types
Value
Description

owner

Users/Groups

owner

Owner permission for Tability

admin

Users/Groups

admin

Admin permission for Tability

user

Users/Groups

user

User permission for Tability

readonly

Users/Groups

readonly

Read-only permission for Tability

Creating the groups to manage assignments

Now that you have the App roles, you can create the corresponding groups in your Tability Enterprise Application.

Go to Groups in your Microsoft Azure portal.

Here are the 4 groups that you need to create

  • Tability Owners: list of people that should have the owner role in the workspace (they can control all the settings, including the subscription).

  • Tability Admins: list of users with the admin role

  • Tability Users: anyone who should be a regular user of Tability

  • Tability Readonly: list of users that should have read-only access to Tability

Once your groups are created, you can assign them to the Tability application in Entra ID.

  1. Go to Microsoft Entra ID > Enterprise Applications > <your Tability application> > Provisioning

  2. Go to the Manage > Users and groups

  1. Click on Add user/group

  2. Select the group Tability Owners

  3. The select the role owner

  4. Repeat this process with the other groups. At the end you should have the following mapping with the roles assigned.

Part 5: Assigning users

That's it! You can now add users to the different Tability groups and they will be added to Tability with the right set of permission.

Last updated

Was this helpful?