Skip to main content

Set up SCIM with Entra ID EnterpriseEnterprise +

SCIM available for Entra ID

dbt supports System for Cross-Domain Identity Management (SCIM) with Microsoft Entra ID for user and group provisioning and profile updates.

Automatic license type mapping is not currently supported with Entra ID SCIM. See mapped configuration to manage license types within the dbt platform user interface.

Prerequisites

Set up Entra ID

  1. Log in to your Azure account and open the Entra ID configurations.
  2. From the sidebar, under Manage, click Enterprise Applications.
  3. Click New Application and select the option to Create your own application.
    Create your own application.Create your own application.
  4. Give your app a unique name and ensure the Integrate any other application you don't find in the gallery (Non-gallery) field is selected. Ignore any prompts for existing apps. Click Create.
    Give your app a unique name.Give your app a unique name.
  5. From the application Overview screen, click Provision User Accounts.
    The 'Provision user accounts' option.The 'Provision user accounts' option.
  6. From the Create configuration section, click Connect your application.
  7. Fill out the form with the information from your dbt account:
    • The Tenant URL in Entra ID is your SCIM base URL from dbt.
    • The Secret token in Entra ID is your SCIM token from dbt.
  8. Click Test connection and click Create once complete.
    Configure the app and test the connection.Configure the app and test the connection.

Attribute mapping

To map the attributes that will sync with dbt:

  1. From the enterprise app Overview screen sidebar menu, click Provisioning.
    The Provisioning option on the sidebar.The Provisioning option on the sidebar.
  2. Under Manage, click Provisioning again.
  3. Expand the Mappings section and click Provision Microsoft Entra ID users.
    Provision the Entra ID users.Provision the Entra ID users.
  4. Select the box for Show advanced options and then click Edit attribute list for customappsso.
    Click to edit the customappsso attributes.Click to edit the customappsso attributes.
  5. Scroll to the bottom of the Edit Attribute List window and find an empty field where you can add a new entry with the following fields:
    • Name: emails[type eq "work"].primary
    • Type: Boolean
    • Required: True
    Add the new field to the entry list.Add the new field to the entry list.
  6. Mark all of the fields listed in Step 10 below as Required.
    Mark the fields as required.Mark the fields as required.
  7. Click Save.
  8. Back on the Attribute mapping window, click Add new mapping and complete fields with the following:
    • Mapping type: none
    • Default value if null (optional): True
    • Target attribute: emails[type eq "work"].primary
    • Match objects using this attribute: No
    • Matching precedence: Leave blank
    • Apply this mapping: Always
    Complete the fields as shown.Complete the fields as shown.
  9. Click Ok.
  10. Make sure the following mappings are in place and delete any others:
    • UserName: userPrincipalName or the value you want users to leverage to log in to dbt.
    • active: Switch([IsSoftDeleted], , "False", "True", "True", "False")
    • emails[type eq "work"].value: userPrincipalName is the most common, but this value needs to be the same set for UserName.
    • name.givenName: givenName
    • name.familyName: surname
    • externalid: mailNickname
    • emails[type eq "work"].primary
    Edit the attributes so they match the list as shown.Edit the attributes so they match the list as shown.
  11. Click Save.

You can now begin assigning users to your SCIM app in Entra ID!

Assign users to SCIM app

The following steps go over how to assign users/groups to the SCIM app. Refer to Microsoft's official instructions for assigning users or groups to an Enterprise App in Entra ID to learn more. Although the article is written for Databricks, the steps are identical.

  1. Navigate to Enterprise applications and select the SCIM app.
  2. Go to Manage > Provisioning.
  3. To synchronize Microsoft Entra ID users and groups to dbt, click Start provisioning.
    Start provisioning to synchronize users and groups.Start provisioning to synchronize users and groups.
  4. Navigate back to the SCIM app's overview page and go to Manage > Users and groups.
  5. Click Add user/group and select the users and groups.
    Add user/group.Add user/group.
  6. Click the Assign button.
  7. Wait a few minutes. In the dbt platform, confirm the users and groups exist in your dbt account.
    • Users and groups that you add and assign will automatically be provisioned to your dbt account when Microsoft Entra ID schedules the next sync.
    • By enabling provisioning, you immediately trigger the initial Microsoft Entra ID sync. Subsequent syncs are triggered every 20-40 minutes, depending on the number of users and groups in the application. Refer to Microsoft Entra ID's Provisioning tips documentation for more information.
    • You can also prompt a manual provisioning outside of the cycle by clicking Restart provisioning.
    Prompt manual provisioning.Prompt manual provisioning.

Was this page helpful?

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

0
Loading