Ctrlk
Log inSign up

Manage Natoma Role from Entra ID

Configure SCIM app roles and attribute mapping to provision users with the correct Natoma role from Microsoft Entra ID.

This guide walks Entra ID admins through configuring SCIM provisioning for Natoma so that users are automatically created with the correct role (Admin, AppAdmin, or Member) based on their Entra group assignment.

You must be signed in to the Microsoft Entra admin center as an Application Administrator, Cloud Application Administrator, or Global Administrator.

Step 1 — Create App Roles in Entra ID

Entra ID uses App Roles to represent the roles that will be provisioned to Natoma. You need to define one App Role per Natoma role value.

  1. In the Microsoft Entra admin center, go to App registrations.

  2. Select your Natoma enterprise application.

  3. In the left sidebar, click App roles, then click Create app role.

  4. Create the following three roles (repeat for each):

Role 1

Field
Value

Display name

Admin

Value

admin

Allowed member types

Users/Groups

Role 2

Field
Value

Display name

AppAdmin

Value

AppAdmin

Allowed member types

Users/Groups

Role 3

Field
Value

Display name

Member

Value

member

Allowed member types

Users/Groups

  1. Click Apply after creating each role.

Step 2 — Assign the Natoma App to an Entra Group

Assign the Natoma enterprise application to each Entra group you want to use for role-based provisioning (e.g. Natoma Admins, Natoma Members).

  1. In the Entra admin center, go to Enterprise applications and open the Natoma app.

  2. In the left sidebar, click Users and groups.

  3. Click Add user/group.

  4. Under Users and groups, search for and select your group (e.g. Natoma Admins).

  5. Click Select a role and choose the corresponding App Role (e.g. Admin).

  6. Click Assign.

Repeat this step for each group/role combination. Every group must have a role selected — users without a role assignment will be skipped during provisioning.

Step 3 — Configure the Attribute Mapping for the Role Field

By default, Entra ID does not map the app role assignment to a SCIM role attribute. You need to add this mapping manually.

  1. In the Natoma enterprise app, go to Provisioning in the left sidebar.

  2. Click Edit attribute mappings.

  3. Expand Mappings and click Provision Microsoft Entra ID Users.

  4. Scroll to the bottom of the attribute list and click Add New Mapping.

  5. Configure the new mapping as follows:

Field
Value

Mapping type

Expression

Expression

SingleAppRoleAssignment([appRoleAssignments])

Target attribute

roles[primary eq "True"].value

  1. Click OK, then click Save on the attribute mapping page.

SingleAppRoleAssignment is recommended when each user will have a single Natoma role. It reads the App Role assigned to the user or their group and writes the role value to the SCIM roles attribute.

Step 4 — Enable Automatic Provisioning

Connect Entra ID to Natoma's SCIM endpoint and enable automatic provisioning.

  1. In the Natoma enterprise app, go to Provisioning.

  2. Click Get started (or Edit provisioning if previously configured).

  3. Set the Provisioning Mode to Automatic.

  4. In the Admin Credentials section, enter:

    • Tenant URL: your Natoma SCIM endpoint URL

    • Secret Token: your Natoma SCIM bearer token

  5. Click Test Connection to verify, then click Save.

  6. Under Settings, confirm Scope is set to Sync only assigned users and groups.

  7. Click Start provisioning.

Entra ID syncs on a cycle of approximately 40 minutes. To test immediately, use Provision on demand from the Provisioning page and select a specific user.

Step 5 — Test the Configuration

  1. Add a test user to one of the groups configured in Step 2.

  2. In the Natoma enterprise app, go to Provisioning and click Provision on demand.

  3. Search for and select the test user, then click Provision.

  4. In Natoma, confirm the user appears with the expected role.

If the role field is empty, check the provisioning logs: Provisioning → View provisioning logs.

Troubleshooting

User provisioned but role is missing — Confirm the user's group has a role selected under Users and groups → Edit assignment. A missing role selection causes Entra to skip role provisioning.

Provisioning skipped entirely — Entra ID skips users not assigned to the app. Ensure the user's group is listed under Users and groups with a role selected.

MultipleGrantsNotSupported error — This occurs if a user belongs to multiple groups with different roles. Either ensure users are in only one Natoma role group, or contact Natoma support about multi-role handling.

Sync not reflecting changes — Trigger an immediate sync via Provision on demand, or restart provisioning from the Provisioning page.

Last updated