Skip to main content

Configure SCIM for Entra

Alteryx supports the ability to provision, update and deprovision Analytics Cloud users through the System for Cross-domain Identity Management (SCIM) protocol. By enabling SCIM, your organization can use Microsoft Entra security groups to set user access to individual workspaces, and the services available to them.

Prerequisites

  • You have direct access to your Analytics Cloud workspace, and have been assigned the Workspace Admin role.

  • You have direct access to your instance of Entra, and have been assigned the Application Administrator or Cloud Application Administrator roles.

  • You have already enabled SAML SSO for your workspace. For more information, see Azure SSO Setup Guide (SAML)

Dica

Auto-provisioning is most effective when user access is managed through groups. Within your IdP, consider managing application access using security groups instead of assigning users to the application, one-by-one.

Generating SCIM Token

  1. Within Analytics Cloud, navigate to your workspace’s Admin Console.

  2. Select User Provisioning in the left navigation menu.

  3. Select Enable Automatic User Provisioning.

  4. Select Enable.

  5. In the the Authentication Type dropdown, select Alteryx Token Authentication.

  6. Select Next.

  7. Note and copy your Tenant URL. You will use this later.

  8. Select Generate Token.

  9. In the Lifetime (Days) field, enter “365”.

  10. Select Generate.

  11. Note and copy your SCIM Token. You will use this later.

  12. Select Close.

Integration

Enabling SCIM

  1. In Microsoft Entra, navigate to your existing Enterprise Application.

  2. Navigate to the Provisioning page and select Connect your application.

  3. In the Tenant URL field, paste the Tenant URL value copied from your workspace.

  4. In the Secret Token field, paste your SCIM token value copied from your workspace.

  5. Select Test Connection.

  6. Select Create. After a moment, you will be redirected back to the Provisioning page.

  7. (Optional) Under Attribute Mappings, select Provision Microsoft Entra ID Users to deselect unnecessary user attributes.

    Attributes to keep:

    userName: userPrincipalName
    active: Switch([IsSoftDeleted], , "False", "True", "True", "False")
    emails[type eq "work"].value: mail
    name.givenName: givenName
    name.familyName: surname
    externalId: mailNickname
  8. Select Save.

Assigning Groups

  1. Navigate to the Users and Groups page.

  2. Select Add User/Group.

  3. Select the group you would like to sync to the workspace.

  4. Hit Select and Assign.

Assigned groups will be synchronized to the workspace. Security group members who do not already have access to the workspace will receive an email invite notification.

Nota

Depending on your Entra settings, it may take some time before users and user groups are synchronized to the corresponding workspace.

Enabling Provisioning

To enable the provisioning, navigate to the Overview page, select Provisioning and Start Provisioning.

Permission Groups

  1. Within Analytics Cloud, navigate back to your workspace’s Admin Console.

  2. Navigate to the User Groups page.

  3. Hovering over a synchronized user group, select the 3-dot menu.

  4. Select Assign Roles.

  5. In the Assign Roles to Group dropdown, select or deselect one or more existing roles.

  6. Select Save.

Users who are already a member of the group will inherit the selected roles. Users added to Entra security groups in the future will be invited to the workspace and assigned the selected roles.