Manage Natoma Role from Entra ID
Configure SCIM app roles and attribute mapping to provision users with the correct Natoma role from Microsoft Entra ID.
This guide walks Entra ID admins through configuring SCIM provisioning for Natoma so that users are automatically created with the correct role (Admin, AppAdmin, or Member) based on their Entra group assignment.
You must be signed in to the Microsoft Entra admin center as an Application Administrator, Cloud Application Administrator, or Global Administrator.
Step 1 — Create App Roles in Entra ID
Entra ID uses App Roles to represent the roles that will be provisioned to Natoma. You need to define one App Role per Natoma role value.
In the Microsoft Entra admin center, go to App registrations.
Select your Natoma enterprise application.
In the left sidebar, click App roles, then click Create app role.
Create the following three roles (repeat for each):
Role 1
Display name
Admin
Value
admin
Allowed member types
Users/Groups
Role 2
Display name
AppAdmin
Value
AppAdmin
Allowed member types
Users/Groups
Role 3
Display name
Member
Value
member
Allowed member types
Users/Groups
Click Apply after creating each role.
Step 2 — Assign the Natoma App to an Entra Group
Assign the Natoma enterprise application to each Entra group you want to use for role-based provisioning (e.g. Natoma Admins, Natoma Members).
In the Entra admin center, go to Enterprise applications and open the Natoma app.
In the left sidebar, click Users and groups.
Click Add user/group.
Under Users and groups, search for and select your group (e.g.
Natoma Admins).Click Select a role and choose the corresponding App Role (e.g.
Admin).Click Assign.
Repeat this step for each group/role combination. Every group must have a role selected — users without a role assignment will be skipped during provisioning.
Step 3 — Configure the Attribute Mapping for the Role Field
By default, Entra ID does not map the app role assignment to a SCIM role attribute. You need to add this mapping manually.
In the Natoma enterprise app, go to Provisioning in the left sidebar.
Click Edit attribute mappings.
Expand Mappings and click Provision Microsoft Entra ID Users.
Scroll to the bottom of the attribute list and click Add New Mapping.
Configure the new mapping as follows:
Mapping type
Expression
Expression
SingleAppRoleAssignment([appRoleAssignments])
Target attribute
roles[primary eq "True"].value
Click OK, then click Save on the attribute mapping page.
SingleAppRoleAssignment is recommended when each user will have a single Natoma role. It reads the App Role assigned to the user or their group and writes the role value to the SCIM roles attribute.
Step 4 — Enable Automatic Provisioning
Connect Entra ID to Natoma's SCIM endpoint and enable automatic provisioning.
In the Natoma enterprise app, go to Provisioning.
Click Get started (or Edit provisioning if previously configured).
Set the Provisioning Mode to Automatic.
In the Admin Credentials section, enter:
Tenant URL: your Natoma SCIM endpoint URL
Secret Token: your Natoma SCIM bearer token
Click Test Connection to verify, then click Save.
Under Settings, confirm Scope is set to Sync only assigned users and groups.
Click Start provisioning.
Entra ID syncs on a cycle of approximately 40 minutes. To test immediately, use Provision on demand from the Provisioning page and select a specific user.
Step 5 — Test the Configuration
Add a test user to one of the groups configured in Step 2.
In the Natoma enterprise app, go to Provisioning and click Provision on demand.
Search for and select the test user, then click Provision.
In Natoma, confirm the user appears with the expected role.
If the role field is empty, check the provisioning logs: Provisioning → View provisioning logs.
Troubleshooting
User provisioned but role is missing — Confirm the user's group has a role selected under Users and groups → Edit assignment. A missing role selection causes Entra to skip role provisioning.
Provisioning skipped entirely — Entra ID skips users not assigned to the app. Ensure the user's group is listed under Users and groups with a role selected.
MultipleGrantsNotSupported error — This occurs if a user belongs to multiple groups with different roles. Either ensure users are in only one Natoma role group, or contact Natoma support about multi-role handling.
Sync not reflecting changes — Trigger an immediate sync via Provision on demand, or restart provisioning from the Provisioning page.
Last updated

