This guide will walk you through setting up automatic user provisioning between Azure Entra ID (formerly Azure Active Directory) and stacksync.
By the end of this guide, you will have:
✅ SAML-based Single Sign-On configured
✅ Automatic user provisioning via SCIM
✅ Role-based access control
✅ Users automatically created/updated/deactivated in stacksync
Estimated time: 30-45 minutes
Before you begin, ensure you have:
Part 1: Create Enterprise Application in Azure
Step 1.1: Navigate to Enterprise Applications
In the search bar at the top, type "Microsoft Entra ID" and select it
In the left sidebar, click Enterprise applications
Step 1.2: Create New Application
Click + New application (top left)
Click + Create your own application
Enter the application name: stacksync-example
Select: "Integrate any other application you don't find in the gallery (Non-gallery)"
Wait a few seconds for Azure to create the application.
Step 2.1: Start SAML Setup
In your stacksync-example enterprise application, click Single sign-on in the left sidebar
Before configuring anything, download your Azure metadata file:
Scroll down to section "3. SAML Certificates"
Under "Token signing certificate", click Edit (pencil icon on the right)
Click the three dots menu (...) next to the Active certificate
Select "Download federated certificate XML" from the dropdown menu
Save the file (e.g., AzureMetadata.xml)
The SSO configuration should only be done once per company domain. All domains will be connected under the same SSO configuration
Navigate to your workspace settings
Choose Azure AD (Entra ID) as your identity provider
Upload the federated certificate XML file you downloaded from Azure in the step above
You can choose to "Restrict login to SSO only for this domain" using the checkbox. This will make it so users with this domain will only be able to login via the SSO flow
You should now see a page with all the necessary info to continue the setup in Azure.
Once you have terminated the SSO configuration in your workspace you can continue with the setup in Azure:
Go back to your Azure SAML setup page
Click Edit on section "1. Basic SAML Configuration"
Fill in the values provided by stacksync support:
Identifier (Entity ID):
(Use the exact value from the above step)
Reply URL (Assertion Consumer Service URL):
(Use the exact value from the above step)
Sign on URL (optional):
Close the panel by clicking X
Step 2.5: Configuring email claim
This is needed because some emails could have upper case letter making the SSO login not work as expected.
Edit the Attributes & Claims section
Click on the user.mail claim to start editing it
Change the source radio button to Transformation (this action should open a side pabel)
In the Transformation field drop down choose ToLowercase()
In the Attribute name field dropdown choose user.mail
Click add and then Save on the main page
Part 3: Set Up Automatic User Provisioning (SCIM)
Step 3.1: Generate a api token for your workspace
In your stacksync workspace settings scroll down to "Stacksync Workspace API Key"
Create a api key for scim use.
Step 3.2: Enable Automatic Provisioning
In your stacksync enterprise application, click Provisioning in the left sidebar
Click + New configuration button (at the top)
On the "New provisioning configuration" page:
Select authentication method: Bearer authentication (default)
Tenant URL: Paste the URL provided by stacksync support
Secret Token: Paste the token that you generated in your workspace
Click Test connection
You should see: ✅ "Connection test for 'stacksync-example' was successful"
Click Create (bottom left)
Part 4: Create App Roles for stacksync
App Roles define which permission level users have in stacksync (viewer or editor).
Step 4.1: Navigate to App Registrations
In the Azure Portal search bar, type: "App registrations"
Click the "View all applications in directory" button
Find and click stacksync-example
Step 4.2: Create "viewer" Role
In the left sidebar, click App roles
Fill in:
Allowed member types: Users/Groups
Description: Viewer with read-only access
Do you want to enable this app role? ✅ Checked
Step 4.3: Create "editor" Role
Click + Create app role again
Fill in:
Allowed member types: Users/Groups
Description: Editor with standard access
Do you want to enable this app role? ✅ Checked
Step 5.1: Access Attribute Mappings
Go back to Enterprise applications → stacksync-example
Click Provisioning in the left sidebar
Under Attribute Mappings, click Provision Microsoft Entra ID Users
Step 5.2: Add Roles Mapping
Scroll to the bottom and click Add New Mapping
Fill in:
Target attribute: roles[primary eq "True"].value
Default value if null: viewer
Apply this mapping: Always
Match objects using this attribute: No
Part 6: Start Provisioning
Step 6.1: Enable Provisioning
Go back to the main Provisioning page (Preview
Azure will now start provisioning users. The initial sync takes 5-10 minutes.
Part 7: Assign Roles to Users
Step 7.1: Assign a Role to a User
Go to Users and groups in the left sidebar
Under Users, click None Selected
Under Select a role, click None Selected
Choose either viewer or editor
Repeat this for each user, assigning them the appropriate role.
Part 8: Test the Setup
Step 8.1: Test Provisioning
Go to Provisioning → Provision on demand (if available)
Select a test user (you'l need to search for the user)
Verify the user is successfully created in your stacksync workspace
Troubleshooting
Users Not Provisioning
Check:
Provisioning Status is On
Users are assigned to the stacksync application
Users have a role assigned (viewer or editor)
Wait 10-40 minutes for initial sync
View logs:
Go to Provisioning → View provisioning logs
Wrong Role Assigned
Check:
Role is assigned correctly in Users and groups
Roles attribute mapping includes default value viewer
App roles display names are lowercase: viewer, editor (not Viewer, Editor)
