SCIM provisioning with Entra ID
Configure Microsoft Entra ID (formerly Azure AD) to push your tenant's groups to Platform over SCIM 2.0. Once provisioning is enabled, the groups you assign to your Seqera Enterprise application appear in Platform's IdP group catalog and stay in sync with renames, additions, and deletions automatically.
You will need the following to get started:
- An Entra ID enterprise application configured as your Platform SSO connection. See Entra ID authentication.
- Organization owner access to your Platform organization.
- Administrator access to your Entra ID tenant with permission to manage application provisioning.
Get the Platform SCIM connection details
- In Platform, open Organization settings > Group mapping.
- Copy the SCIM endpoint URL. It has the form
https://<seqera-host>/orgs/<orgId>/scim/v2. - Select Generate token to issue a SCIM bearer token. Copy your bearer token immediately. You can't view it again after closing the dialog.
The bearer token grants write access to your group catalog. Store it in a secrets manager and rotate it on a schedule. To rotate, generate a new token in Seqera and update Entra ID's configuration. The previous token is revoked when the new token is issued.
Enable provisioning in Entra ID
- Sign in to the Azure portal and open Entra ID, then Enterprise applications.
- Select the application that fronts your Platform SSO connection.
- Open Provisioning and select Get started.
- Set Provisioning Mode to Automatic.
- Under Admin Credentials, provide:
- Tenant URL: The Platform SCIM endpoint URL from the previous section.
- Secret Token: The Platform bearer token from the previous section.
- Select Test Connection. Entra ID should report success.
- Select Save.
Scope and start provisioning
- With Provisioning still open, expand Settings.
- Set Scope to Sync only assigned users and groups.
- Save, then set Provisioning Status to On.
- Return to the application's Users and groups tab and assign the groups you want Platform to receive.
Entra ID runs an initial cycle within minutes and then syncs incrementally every ~40 minutes.
Group display names vs. object IDs
By default, Entra ID emits group object GUIDs in the groups claim, not display names. There are two options:
- Recommended: Configure Entra ID to emit display names. In the application's Token configuration, add a groups claim and select sAMAccountName as the source where supported, or use a custom claims policy. This makes catalog entries and audit logs human-readable.
- Alternative: Accept the default GUID emission. Use the GUID as the IdP Group value on each team. This works but makes the catalog harder to read.
Pick one approach for your tenant and use it consistently. The GUID and the display name don't both flow at the same time.
Verify in Platform
- In Platform, open Organization settings > Group mapping.
- Select Refresh. The assigned Entra ID groups should appear in the catalog list after the first provisioning cycle.
- The Linked team drop-down menu is now populated with the synced groups.
If groups don't appear, open the Provisioning logs for the application in Entra ID and review any failed actions.
Group rename and delete behavior
Renames and deletes propagate automatically through SCIM:
- Rename: The next provisioning cycle updates the catalog row's display name. Delegated teams that reference the group continue to work without interruption.
- Delete: Entra ID issues a SCIM
DELETEfor the group, or removes the assignment from the enterprise application. Seqera removes the catalog row and synchronously purges members from any delegated team that referenced it. The affected teams remain in place with empty membership and an orphaned-team warning.
Troubleshooting
Groups appear in Entra ID but not in Platform
Confirm the bearer token configured in Entra ID matches the latest token that was issued. If you generated a new token after configuring Entra ID, the previous token is revoked.
Provisioning logs show 401 Unauthorized
The bearer token is invalid or expired. Generate a new token in Platform and replace it in Entra ID.
The catalog shows GUID-style identifiers instead of group names
Entra ID is emitting object IDs rather than display names. See the Group display names vs object IDs caution above for the two options.
409 Conflict on a specific group
A group with the same display name already exists in another organization on the same Enterprise instance. See Multi-organization routing for the cross-organization uniqueness rule and conflict resolution.
A group is assigned to the application but doesn't sync
Confirm the provisioning scope is set to Sync only assigned users and groups and that the group is actually listed under Users and groups, not just nested in another assigned group.