Azure Active Directory (Azure AD)

Reference

Setting up Azure Entra for SCIM provisioning consists of the following steps:

  • New Entra Application & SCIM Provisioning
  • Application Roles
  • SCIM Attribute Mapping Update

New Entra Application

First, create a new Azure Entra application to set up SCIM provisioning with Portkey.

  1. Navigate to the Entra Applications Page and click Create your own application.

  2. Complete the required fields to create a new application.

  3. Once the application is created, navigate to the application’s Provisioning page under the Manage section.

  4. Click New Configuration to go to the provisioning settings page.

  5. Obtain the Tenant URL and Secret Token from the Portkey Admin Settings page (if SCIM is enabled for your organization).

  6. Fill in the values from the Portkey dashboard in Entra’s provisioning settings and click Test Connection. If successful, click Create.

If the test connection returns any errors, please contact us at [email protected].


Application Roles

Portkey supported roles should match Entra’s application roles.

  1. Navigate to App Registrations under Enterprise Applications, click All Applications, and select the application created earlier.
  2. Go to the App Roles page and click Create app role.

    Portkey supports two application-level roles:

    • member (Organization Member)
    • admin (Organization Admin)
    • owner (Organization Owner)

Users assigned any other role will default to the member role.

  1. To support group roles, create a role with the value group and a name in title-case (e.g., Group for the value group).

  2. Assign users to the application with the desired role (e.g., owner, member, or admin) for the organization.


Attribute Mapping

Adding a New Attribute
  1. Go to the Provisioning page and click Attribute Mapping (Preview) to access the attributes page.

  2. Enable advanced options and click Edit attribute list for customappsso.

  3. Add a new attribute called roles with the following properties:

    • Multi-valued: Enabled
    • Type: String

Adding a new mapping
  1. Click on the Add new mapping link to add a new mapping. (refer to the above images).
  2. Follow the values from the below image to add a new mapping.

  1. Once done, save the changes.
Removing Unnecessary Attributes

Delete the following unsupported attributes:

  • preferredLanguage
  • addresses (all fields)
  • phoneNumbers

Updating Attributes

Update displayName

  1. Edit the displayName field to concatenate firstName + lastName instead of using the default displayName value from Entra records.

  2. Save the changes and enable provisioning on the Overview page of the provisioning settings.


Group (Workspace) Provisioning

Portkey supports RBAC (Role-Based Access Control) for workspaces mapped to groups in Entra. Use the following naming convention for groups:

  • Format: ws-{group}-role-{role}
    • Role: One of admin, member, or manager
  • A user should belong to only one group per {group}.

Example: For a Sales workspace:

  • ws-Sales-role-admin
  • ws-Sales-role-manager
  • ws-Sales-role-member

Users assigned to these groups will inherit the corresponding role in Portkey.


Support

If you face any issues with the group provisioning, please reach out to us at here.

Was this page helpful?