Microsoft Entra ID SCIM Provisioning
Available on: Enterprise EditionCloud>= 0.18.0
Sync Users and Groups from Microsoft Entra ID to Kestra using SCIM.
Prerequisites
- Microsoft Entra ID Account: an account with administrative privileges to configure SCIM provisioning.
- Enable multi-tenancy in Kestra: tenants MUST be enabled in Kestra to support SCIM provisioning. You can enable tenants by setting the
kestra.ee.tenants.enabledconfiguration property totrue:
kestra:
ee:
tenants:
enabled: true
Kestra SCIM Setup: Create a New Provisioning Integration
- In the Kestra UI, navigate to the
Administration→IAM→Provisioningpage. - Click on the
Createbutton in the top right corner of the page. - Fill in the following fields:
- Name: Enter a name for the provisioning integration.
- Description: Provide a brief description of the integration.
- Provisioning Type: currently, we only support SCIM 2.0 — leave the default selection and click
Save.
The above steps will generate a SCIM endpoint URL and a Secret Token that you will use to authenticate Microsoft Entra ID with the SCIM integration in Kestra. Save those details as we will need them in the next steps.
The endpoint should look as follows:
https://your_kestra_host/api/v1/your_tenant/integrations/integration_id/scim/v2
The Secret Token will be a long string (ca. 200 characters) that will authenticate requests from Microsoft Entra ID to Kestra.
Enable or Disable SCIM Integration
Note that you can disable or completely remove the SCIM Integration at any time. When an integration is disabled, all incoming requests for that integration endpoint will be rejected.
At first, you can disable the integration to configure your Microsoft Entra ID integration in the Azure portal, and then enable it once the configuration is complete.
IAM Role and Service Account
When creating a new Provisioning Integration, Kestra will automatically create two additional objects:
- Role
SCIMProvisionerwith the following permissions:GROUPS:CREATE,READUPDATE,DELETEUSERS:CREATE,READ,UPDATEBINDINGS:CREATE,READ,UPDATE,DELETE
- Service Account with an API Token which was previously displayed as a Secret Token for the integration:
Why the SCIMProvisioner role doesn't have the DELETE permission for USERS? This is because you cannot delete a user through our SCIM implementation. Users are global and SCIM provisioning is per tenant. When we receive a DELETE query for a user, we remove their tenant access but the user itself remains in the system.
Microsoft Entra ID SCIM Setup
1. Register Kestra as an Enterprise Application:
- Navigate to Microsoft Entra ID → Enterprise Applications.
- Click on the
+ New applicationbutton to create a new custom application. You can name the app "KestraSCIM" or any other relevant name.
2. Configure SCIM Provisioning:
- Go to the newly created Kestra application.
- Select "Provisioning" and set the Provisioning Mode to "Automatic".
- Enter the SCIM endpoint URL and the Secret Token provided by Kestra. Paste kestra's SCIM endpoint URL into the Tenant URL field and the Secret Token into the Secret Token field.
- Finally, click on
Test Connectionand on theSavebutton.
3. Map User and Group Attributes:
After entering and saving the Admin Credentials for SCIM provisioning connection in Microsoft Entra ID (i.e., the Tenant URL and Secret Token), Azure will enable the Mappings section under the Provisioning settings.
The Mappings section allows you to define how user and group attributes should flow between Microsoft Entra ID and Kestra.
SCIM Schema Support in Kestra
Kestra adheres to the SCIM 2.0 specification (RFC 7643), specifically supporting the following resource types:
- User Resource:
- Example attributes:
userName,name.givenName,name.familyName,emails,active
- Example attributes:
- Group Resource:
- Example attributes:
displayName,members
- Example attributes:
Retrieve Supported Schemas
Kestra exposes SCIM resource schemas via its /Schemas endpoint exposed via the SCIM URL. This allows Microsoft Entra ID to discover the required attributes.
GET /api/v1/<tenant>/integrations/<integration_id>/scim/v2/Schemas
Replace <tenant> with your actual tenant, and <integration_id> with your actual Kestra SCIM integration ID.
This endpoint returns a list of supported schemas and their attributes. Use it as a reference when configuring attribute mappings in Entra ID.
Configure User and Group mapping
To configure mappings:
- Go to: Microsoft Entra Admin Center → Enterprise Applications → Your Kestra App → Provisioning → Mappings
- Configure attribute mappings:
- For Users:
- Map source attributes such as
userPrincipalName,mailto their SCIM equivalents.
- Map source attributes such as
- For Groups:
- Map attributes such as
displayName - Ensure group
membersare synchronized properly.
- Map attributes such as
- Refer to the
/Schemasendpoint response from Kestra to guide accurate mapping. - Use attribute expressions or transformations in Entra ID if needed (e.g., to format names or emails).
By default, Azure will pre-populate the mapping with many Microsoft Entra ID attributes. You may need to remove or simplify some of these mappings if you encounter synchronization issues with Users or Groups in Kestra.
Test the Configuration
After mappings are configured:
- Trigger a manual provisioning cycle from the Provisioning tab.
- Verify that users and groups are correctly created or updated in Kestra.
- Review provisioning logs in Entra ID for any errors or warnings.
4. Enable Provisioning:
- Now that everything is configured, you can enable the provisioning integration toggle in the Kestra UI to start syncing users and groups from Microsoft Entra ID to Kestra.
Additional Resources
Was this page helpful?