Creating a group or permission mapping from Microsoft EntraID SSO

Comments Off on Creating a group or permission mapping from Microsoft EntraID SSO

Using SSO, you can rely on external authentication methods in vScope. Once configured, you can use the external identity provider (IDP) to assign vScope users permissions and/or groups. If you have not yet configured SSO, please start by reading Setting up Microsoft Entra ID Single Sign-On (SSO).

Important notice Depending on what permissions you have configured in your app registrations in Azure, vScope may not have sufficient permissions to read eg. groups from Azure. If something goes wrong, please revise your group claims in Azure.

1. Enabling group mapping in vScope

  1. In vScope, go to Settings > Users & Access > Single Sign-On. Ensure you are login as administrator.
  2. If you have enabled Microsoft EntraID Single Sign-On, you should be able to enable group mapping
  3. Select which group (permission or user group) in vScope you want to add a mapping to by clicking +

2. Creating a group mapping

  1. First, select property in Azure you want to base your mapping on
  2. Enter a name of your mapping. This is only used in vScope to help you remember the mapping.
  3. Enter the object id of the user/group in Azure. You can find the group id in Azure
  4. Preview your mapping and click Add

In this configuration, we have added so that any user in Microsoft EntraID that is a member of Customer Success, will automatically be assigned the permission Contributor upon login.

Troubleshooting / FAQ

The user is assigned the default permission group on login

If vScope cannot find the user in a mapped group, it will automatically fall back to the “Default Permission Group” when assigning a user a permission group.

  1. Ensure proper group mapping
    • Review the user’s group membership in Microsoft Entra ID and ensure that the user is a member of a group with the same ID that you’ve mapped in vScope.
  2. Evaluate user mapping
    • You can try to instead of mapping a group, add the user’s ID to a permission mapping using the Property: User. Input your user’s ID. Does it work? Is this the account that is trying to sign in, or do you have duplicates in Microsoft EntraID?
Choosing property user instead of group