Azure Entra ID

This guide will walk you through setting up automatic user provisioning between Azure Entra ID (formerly Azure Active Directory) and stacksync.

Overview

By the end of this guide, you will have:

  • ✅ SAML-based Single Sign-On configured

  • ✅ Automatic user provisioning via SCIM

  • ✅ Role-based access control

  • ✅ Users automatically created/updated/deactivated in stacksync

Estimated time: 30-45 minutes

Prerequisites

Before you begin, ensure you have:

Part 1: Create Enterprise Application in Azure

Step 1.1: Navigate to Enterprise Applications

  1. Sign in to the Azure Portal: https://portal.azure.com

  2. In the search bar at the top, type "Microsoft Entra ID" and select it

  3. In the left sidebar, click Enterprise applications

Step 1.2: Create New Application

  1. Click + New application (top left)

  2. Click + Create your own application

  3. Enter the application name: stacksync-example

  4. Select: "Integrate any other application you don't find in the gallery (Non-gallery)"

  5. Click Create

Wait a few seconds for Azure to create the application.

Part 2: Configure SAML Single Sign-On

Step 2.1: Start SAML Setup

  1. In your stacksync-example enterprise application, click Single sign-on in the left sidebar

  2. Click the SAML tile

Step 2.2: Download Azure Metadata

Before configuring anything, download your Azure metadata file:

  1. Scroll down to section "3. SAML Certificates"

  2. Under "Token signing certificate", click Edit (pencil icon on the right)

  3. Click the three dots menu (...) next to the Active certificate

  4. Select "Download federated certificate XML" from the dropdown menu

  5. Save the file (e.g., AzureMetadata.xml)

Step 2.3: Send Metadata to stacksync Support

📧 Email the following to stacksync support ([email protected]):

Subject: Azure SCIM Setup - [Your Company Name]

Include:

  • The Federation Metadata XML file you just downloaded

  • Your company email domain (e.g., acme.com)

  • Requested access: SCIM for stacksync workspace

stacksync support will respond with:

  • Entity ID

  • Reply URL (ACS URL)

⏱️ Wait for stacksync support to respond before continuing.

Step 2.4: Configure Basic SAML Settings (After Receiving stacksync Info)

Once you receive the configuration details from stacksync support:

  1. Go back to your Azure SAML setup page

  2. Click Edit on section "1. Basic SAML Configuration"

  3. Fill in the values provided by stacksync support:

Identifier (Entity ID):

urn:auth0:stacksync:azure-yourcompany

(Use the exact value from stacksync support)

Reply URL (Assertion Consumer Service URL):

https://auth.stacksync.com/login/callback?connection=stacksync-example

(Use the exact value from stacksync support)

Sign on URL (optional):

https://stacksync.com/login

  1. Click Save

  2. Close the panel by clicking X

Part 4: Set Up Automatic User Provisioning (SCIM)

Step 4.1: Generate a api token for your workspace

  1. In your stacksync workspace settings scroll down to "Stacksync Workspace API Key"

  2. Create a api key for scim use.

Step 4.2: Enable Automatic Provisioning

  1. In your stacksync enterprise application, click Provisioning in the left sidebar

  2. Click + New configuration button (at the top)

  3. On the "New provisioning configuration" page:

    • Select authentication method: Bearer authentication (default)

    • Tenant URL: Paste the URL provided by stacksync support

     https://api.stacksync.com/v1/workspaces/[your-workspace-id]/scim/v2

  • Secret Token: Paste the token that you generated in your workspace

  1. Click Test connection

    • You should see: ✅ "Connection test for 'stacksync-example' was successful"

  2. Click Create (bottom left)

Part 5: Create App Roles for stacksync

App Roles define which permission level users have in stacksync (viewer or editor).

Step 5.1: Navigate to App Registrations

  1. In the Azure Portal search bar, type: "App registrations"

  2. Click App registrations

  3. Click the "View all applications in directory" button

  4. Find and click stacksync-example

Step 5.2: Create "viewer" Role

  1. In the left sidebar, click App roles

  2. Click + Create app role

Fill in:

  • Display name: viewer

  • Allowed member types: Users/Groups

  • Value: viewer

  • Description: Viewer with read-only access

  • Do you want to enable this app role? ✅ Checked

  1. Click Apply

Step 5.3: Create "editor" Role

  1. Click + Create app role again

Fill in:

  • Display name: editor

  • Allowed member types: Users/Groups

  • Value: editor

  • Description: Editor with standard access

  • Do you want to enable this app role? ✅ Checked

  1. Click Apply

Part 6: Configure Attribute Mappings

Step 6.1: Access Attribute Mappings

  1. Go back to Enterprise applicationsstacksync-example

  2. Click Provisioning in the left sidebar

  3. Under Attribute Mappings, click Provision Microsoft Entra ID Users

Step 6.2: Add Roles Mapping

  1. Scroll to the bottom and click Add New Mapping

Fill in:

  • Mapping type: Expression

  • Expression:

  SingleAppRoleAssignment([appRoleAssignments])

  • Target attribute: roles[primary eq "True"].value

  • Default value if null: viewer

  • Apply this mapping: Always

  • Match objects using this attribute: No

  1. Click OK

  2. Click Save at the top

Part 7: Start Provisioning

Step 7.1: Enable Provisioning

  1. Go back to the main Provisioning page (Preview

  2. Click Start provisioning

Azure will now start provisioning users. The initial sync takes 5-10 minutes.

Part 8: Assign Roles to Users

Step 8.1: Assign a Role to a User

  1. Go to Users and groups in the left sidebar

  2. Click + Add user/group

  3. Under Users, click None Selected

  4. Select a user

  5. Click Select

  6. Under Select a role, click None Selected

  7. Choose either viewer or editor

  8. Click Select

  9. Click Assign

Repeat this for each user, assigning them the appropriate role.

Part 9: Test the Setup

Step 9.1: Test Provisioning

  1. Go to ProvisioningProvision on demand (if available)

  2. Select a test user (you'l need to search for the user)

  3. Click Provision

  4. Verify the user is successfully created in your stacksync workspace

Troubleshooting

Users Not Provisioning

Check:

  • Provisioning Status is On

  • Users are assigned to the stacksync application

  • Users have a role assigned (viewer or editor)

  • User has email property

  • Wait 10-40 minutes for initial sync

View logs:

  • Go to ProvisioningView provisioning logs

Wrong Role Assigned

Check:

  • Role is assigned correctly in Users and groups

  • Roles attribute mapping includes default value viewer

  • App roles display names are lowercase: viewer, editor (not Viewer, Editor)

PreviousSSO & SCIMNextOKTA

Last updated