# With Microsoft Entra ID

*Automatic provisioning through SCIM is available starting in* [*Enterprise Edition*](https://www.sonarsource.com/plans-and-pricing/enterprise/)\*. \*

You can enable SCIM to automate user and group provisioning from Microsoft Entra ID (previously known as Azure AD) to SonarQube Server. For an overall understanding of the feature, read the SCIM [overview](https://docs.sonarsource.com/sonarqube-server/10.8/instance-administration/authentication/saml/scim/overview "mention") page.

## Prerequisites <a href="#prerequisites" id="prerequisites"></a>

You have a working [introduction](https://docs.sonarsource.com/sonarqube-server/10.8/instance-administration/authentication/saml/ms-entra-id/introduction "mention").

## Configuring SonarQube Server <a href="#configuring-sonarqube" id="configuring-sonarqube"></a>

1\. Within SonarQube Server, go to **Administration** > **Authentication** > **SAML**.

2\. Under **Provisioning**, click **Automatic user and group provisioning with SCIM**.

3\. Click **Save** and validate the pop-up window if you are sure you want to enable SCIM.

SCIM is now enabled in SonarQube Server, it will handle all the queries coming from Microsoft Entra ID about users and groups.

## Configuring Microsoft Entra ID <a href="#configuring-azure-a-d" id="configuring-azure-a-d"></a>

**Step 1:** In Microsoft Entra ID, go to **Identity** > **Applications** > **Enterprise applications** > **All applications** and select the application created for SonarQube Server. On the application’s page, select **Provisioning**.

![](https://312504542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJj3TXBdWssTGGg8qK5I%2Fuploads%2Fgit-blob-cffe8e4ce3b709a5a553c0e8e55ed9a8ab19804f%2F865f8aa4d8e419c405168214b487945252218717.png?alt=media)

**Step 2:** On the **Provisioning** page, click **Get started**.

**Step 3:** Under **Provisioning Mode**, select **Automatic**.

**Step 4:** Configure the **Admin Credentials** section as follows:

* * **Tenant Url**: `<sqServerBaseUrl>/api/scim/v2`
  * **Secret token**: Paste a [managing-tokens](https://docs.sonarsource.com/sonarqube-server/10.8/user-guide/managing-tokens "mention") for an admin account in this field. For safety reasons, we recommend using a token from a local admin account (not managed through SCIM).

![](https://312504542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJj3TXBdWssTGGg8qK5I%2Fuploads%2Fgit-blob-2beccc930bd6bba2260df77942d1b171975c088a%2F5ffa01e41e509c222ab73436e823e2147ed19a08.png?alt=media)

Click **Test Connection** to check that your credentials are valid, then click **Save.**

**Step 5.a:** Under **Mappings**, click on **Provision Microsoft Entra ID Groups**. This opens the **Attribute Mapping** dialog for groups.

**Step 5.b:** Under **Target Object Actions**, make sure that **Create**, **Update**, and **Delete** are enabled.

![](https://312504542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJj3TXBdWssTGGg8qK5I%2Fuploads%2Fgit-blob-7a223f97ee7720a9d106e27c0a44035de244df35%2F2bb7ad5fe1bfe5f2914495b5c101f5c95ccca86c.png?alt=media)

**Step 5.c:** In **Attribute Mappings**, make sure `displayName` appears in both columns of the mapping. This ensures groups are mapped based on their names.

![](https://312504542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJj3TXBdWssTGGg8qK5I%2Fuploads%2Fgit-blob-854a9a27a33f45e8993ccaecd03b164e07fe5cb0%2F36e1fbee4765b2a714e74e4c24713be4f854ce81.png?alt=media)

**Step 5.d**: Click **Save.** This takes you back to the **Provisioning** page. If this was the default configuration, go back to the previous page.

**Step 6.a**: Under **Mappings**, click on **Provision Microsoft Entra ID Users**. This opens the **Attribute Mapping** dialog for users.

**Step 6.b:** Under **Target Object Actions**, make sure that **Create**, **Update,** and **Delete** are enabled.

**Step 6.c:** In **Attribute Mappings** , map the `userName` **customappsso Attribute** (target) to the **Microsoft Entra ID Attribute** (source) used as SAML user login attribute in your SAML configuration.\
For example, if your login attribute is `http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress` in your SonarQube Server’s SAML configuration and it is mapped to `user.userprincipalname` (default), use `userprincipalname` here. Otherwise, if it is mapped to `user.mail`, then use `mail` instead.

![](https://312504542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJj3TXBdWssTGGg8qK5I%2Fuploads%2Fgit-blob-43001deaa9ba3e2c9e2b73bca12e37f6c3b5317c%2F1b4cfad1f0a4a053135ad7c192d021afeaa5bf28.png?alt=media)

{% hint style="info" %}
To check which Microsoft Entra ID attribute is used as SAML user login attribute:

1. In SonarQube, go to **Administration** > **Authentication** > **SAML**.
2. In **SAML Configuration > SAML**, select **Edit**. The MS Entra ID attribute is the value of **SAML user login attribute**.
   {% endhint %}

**Step 6.d:** Click **Save.** This takes you back to the **Provisioning** page.

**Step 7:** In the **Settings > Scope** section, select **Sync only assigned users and groups**.

![](https://312504542-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJj3TXBdWssTGGg8qK5I%2Fuploads%2Fgit-blob-1064a34a51e74c1ac96c7569331fe2f553fae88c%2Fe31347571c9f77670da43c220ea9982fe6e2c95a.png?alt=media)

**Step 8:** Set the provisioning status to **On** and click **Save**. The Microsoft Entra ID users and groups will be synchronized with SonarQube Server.

{% hint style="info" %}
Microsoft Entra ID runs a SCIM synchronization every 40 minutes. Changes in Microsoft Entra ID are not reflected immediately in SonarQube Server.
{% endhint %}