Azure Active Directory (Azure AD)

Reference Setting up Azure Entra for SCIM provisioning consists of the following steps:
  • New Entra Application & SCIM Provisioning
  • Application Roles
  • SCIM Attribute Mapping Update
New Entra Application
First, create a new Azure Entra application to set up SCIM provisioning with Portkey.
  1. Navigate to the Entra Applications Page and click Create your own application. Application Creation
  2. Complete the required fields to create a new application.
  3. Once the application is created, navigate to the application’s Provisioning page under the Manage section.
  4. Click New Configuration to go to the provisioning settings page. Provisioning Settings
  5. Obtain the Tenant URL and Secret Token from the Portkey Admin Settings page (if SCIM is enabled for your organization). Portkey Admin Settings
  6. Fill in the values from the Portkey dashboard in Entra’s provisioning settings and click Test Connection. If successful, click Create.
If the test connection returns any errors, please contact us at [email protected].
Application Roles
Portkey supported roles should match Entra’s application roles.
  1. Navigate to App Registrations under Enterprise Applications, click All Applications, and select the application created earlier.
  2. Go to the App Roles page and click Create app role.
    Portkey supports two application-level roles:
    • member (Organization Member)
    • admin (Organization Admin)
    • owner (Organization Owner)
App Roles
Users assigned any other role will default to the member role.
  1. To support group roles, create a role with the value group and a name in title-case (e.g., Group for the value group). Creating App Roles
  2. Assign users to the application with the desired role (e.g., owner, member, or admin) for the organization. Assigning Roles

Attribute Mapping

Adding a New Attribute
  1. Go to the Provisioning page and click Attribute Mapping (Preview) to access the attributes page.
  2. Enable advanced options and click Edit attribute list for customappsso. Edit Attribute List
  3. Add a new attribute called roles with the following properties:
    • Multi-valued: Enabled
    • Type: String
    Roles Attribute Properties
Adding a new mapping
  1. Click on the Add new mapping link to add a new mapping. (refer to the above images).
  2. Follow the values from the below image to add a new mapping.
New Mapping Attributes
  1. Once done, save the changes.
Removing Unnecessary Attributes
Delete the following unsupported attributes:
  • preferredLanguage
  • addresses (all fields)
  • phoneNumbers

Updating Attributes

Update displayName
  1. Edit the displayName field to concatenate firstName + lastName instead of using the default displayName value from Entra records. Update displayName Expression
  2. Save the changes and enable provisioning on the Overview page of the provisioning settings.
Group (Workspace) Provisioning
Portkey supports RBAC (Role-Based Access Control) for workspaces mapped to groups in Entra. Use the following naming convention for groups:
  • Format: ws-{group}-role-{role}
    • Role: One of admin, member, or manager
  • A user should belong to only one group per {group}.
Example: For a Sales workspace:
  • ws-Sales-role-admin
  • ws-Sales-role-manager
  • ws-Sales-role-member
Users assigned to these groups will inherit the corresponding role in Portkey. Entra Group Role Mapping

Support

If you face any issues with the group provisioning, please reach out to us at here.