Security & ComplianceMicrosoft Entra SSO and SCIM
Microsoft Entra SSO and SCIM
Configure Microsoft Entra ID OIDC SSO and SCIM provisioning for observity.ai.
Use this guide when Microsoft Entra ID is your identity provider for observity.ai authentication and provisioning.
App Registration
- In Microsoft Entra admin center, create an app registration for observity.ai.
- Add the observity.ai Redirect URI from Settings > Single Sign-On (SSO) as a web redirect URI before creating or copying the client secret.
- Create a client secret.
- Copy the issuer URL, application client ID, and client secret into observity.ai.
- Assign users or groups through the Enterprise Application.
Use these OIDC scopes:
openid email profileSCIM Provisioning
In the observity.ai Enterprise Application, open Provisioning and configure:
| Entra Field | observity.ai Value |
|---|---|
| Provisioning mode | Automatic |
| Tenant URL | observity.ai SCIM Base URL |
| Secret token | observity.ai SCIM bearer token |
| Scope | Sync only assigned users and groups |
Test the connection before enabling the provisioning job.
Attribute Mapping
Map Entra user fields to SCIM attributes:
| Entra Attribute | SCIM Attribute |
|---|---|
userPrincipalName or mail | userName |
mail | emails[type eq "work"].value |
givenName | name.givenName |
surname | name.familyName |
displayName | displayName |
objectId | externalId |
Use objectId for externalId because it is stable and not reused.
Group Assignment
Use assigned groups to control observity.ai access:
- Assign observity.ai groups to the Enterprise Application.
- Enable group provisioning for assigned groups.
- Wait for the groups to appear in observity.ai.
- Map each group to Viewer, Member, or Admin in observity.ai.
Recommended group pattern:
| Entra Group | observity.ai Role |
|---|---|
observity.ai-Viewers | Viewer |
observity.ai-Members | Member |
observity.ai-Admins | Admin |
After the first provisioning cycle completes, enable Require SCIM provisioning for SSO access in observity.ai.