Entra ID SCIM Setup
This guide provides the steps required to configure provisioning with Superblocks from Microsoft Entra ID (formerly Azure AD).
Features
The following provisioning features are supported when integrating with Entra ID:
- Create users in Superblocks
- Remove users in Superblocks when they do not require access anymore
- Keep user attributes synchronized between Entra and Superblocks
- Provision groups and group memberships in Superblocks
Prerequisites
The scenarios outlined in this tutorial assumed that you already have the following items:
- An Entra tenant
- A user account with permission to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator)
- A Superblocks organization on the Enterprise plan
- A user account in Superblocks with Admin permissions
Setup
-
Sign in to the Microsoft Entra admin center
-
Navigate to Identity → Applications → Enterprise applications
-
Select your Superblocks SSO app or select + New application → + Create your own application
-
In the app management screen, select Provisioning in the left panel
-
Set the Provisioning mode to Automatic
-
Configure credentials as follows:
Field Value Tenant URL US: https://app.superblocks.com/scim/v2
EU: https://eu.superblocks.com/scim/v2Secret token Access token with Org Admin privileges -
Test the connection and click Save
-
Optionally, configure user attributes
-
Turn the Provisioning Status to On
-
Select the Users and groups tab and assign the users or groups you want to sync
Configure user attributes
Certain user attributes in Entra can by synced to your Superblocks users' profiles.
Supported user attributes
The Superblocks SCIM API currently supports the following attributes:
| SCIM User Attribute | Superblocks User Attribute | Description |
|---|---|---|
emails | Global.user.email | Email identifier used to log in to Superblocks. |
displayName | Global.user.name | The text shown in Superblocks when referring to the user. |
name.givenName | Global.user.name | First name of the user. Concatenated with name.familyName if displayName is not provided. |
name.familyName | Global.user.name | Last name of the user. Concatenated with name.givenName if displayName is not provided. |
groups | Global.user.groups | List of groups to which the user belongs. |
active | N/A | Disables the user when set to FALSE |
role | N/A | The user's organization role. Defaults to null. If not set, the default role for the organization will be used. |
Create custom role attribute
All of the supported attributes listed above except for role are supported by default in Entra ID. You can manage a user's organization role via SCIM by configuring a custom attribute in Entra. To do so:
-
Go to your app's Provisioning page
-
Expand the Mapping section
-
Click on the User mapping
-
Scroll to the bottom of the page and click Show advanced options
-
Click Edit attribute list for customappsso
-
Add the following new attribute to the list
Field Value Name urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:roleType String -
Click Save
-
Back on the User mapping page, click Add New Mapping
-
Create a mapping with the Target mapping set to the role attribute just configured
-
Click Save
Now when users are provisioned or attributes updated, their organization role in Superblocks will be set based on the role assigned in Entra.