Skip to main content

Configure SCIM Provisioning with Microsoft Entra ID Enterprise

Dremio supports System for Cross-domain Identity Management (SCIM) to integrate Microsoft Entra ID (formerly Microsoft Azure Active Directory) with Dremio for managing external users. When properly configured, Entra ID automatically creates Dremio user accounts if they do not already exist. Entra ID also automatically updates user attributes in Dremio, deactivates Dremio user accounts, and creates roles in Dremio based on Entra ID groups.

note

In addition to SCIM provisioning, you can configure Entra ID as an identity provider (IdP) in Dremio. Follow the instructions in Configure Microsoft Entra ID as an Identity Provider to add Entra ID as a single sign-on (SSO) IdP in Dremio.

Prerequisites

Configuring SCIM provisioning in Entra ID requires:

  • Privileges in Entra ID that permit you to register and configure applications
  • A Dremio personal access token (PAT) for Dremio user who is a member of the ADMIN role

Configure an Application for SCIM Provisioning

To create an application for SCIM provisioning in Entra ID:

  1. In the Azure portal under Azure services, click the Microsoft Entra ID tile.

  2. In the left-navigation menu under Manage, click Enterprise applications.

  3. Click New application.

  4. Click Create your own application.

  5. In the Create your own application panel, type a name for the application in the provided field.

  6. Under What are you looking to do with your application? select the Integrate any other application you don't find in the gallery (Non-gallery) option.

  7. Click the Create button.

  8. In the left-navigation menu under Manage, click Provisioning.

  9. Click the Get started button.

  10. In the Provisioning Mode drop-down list, select Automatic.

  11. Under Admin Credentials, enter the correct Tenant URL for your control plane:

    • US control plane: https://scim.dremio.cloud/scim/v2/?aadOptscim062020
    • EU control plane: https://scim.eu.dremio.cloud/scim/v2/?aadOptscim062020

    note

    The Tenant URL must include the aadOptscim062020 query parameter due to a Microsoft Entra ID issue with SCIM 2.0 compliance.

    If you previously configured a SCIM app with Microsoft Entra ID, SCIM syncing may fail for requests to deactivate users, add and update user attributes, and remove group members. If you observe these failures, follow the Microsoft documentation to upgrade from the older customappsso job to the SCIM job.

  12. Enter your Dremio PAT in the Secret Token field.

  13. (Optional) Click Test Connection to confirm that Entra ID can connect to the tenant URL.

  14. Click Save.

  15. (Optional) Click the down-arrow next to Settings, and adjust the settings as desired. Click Save when you are finished.

  16. Return to the Provisioning Overview page for the application.

  17. In the left-navigation menu under Manage, click Provisioning.

  18. Under Provisioning Status, toggle the setting to On.

  19. Click Save.

SCIM provisioning is now configured and enabled. You can create users, update user attributes, and deactivate users in Dremio, all from Entra ID.

note

Read Microsoft's documentation about how long it takes to provision users for details about Entra ID's initial and incremental provisioning cycles.

If desired, you can use Entra ID's scoping filters to apply attribute-based rules for user provisioning. Read Scoping users or groups to be provisioned with scoping filters in the Microsoft documentation for more information.

Create Users

After you configure an Entra ID application for SCIM provisioning, you must assign users and groups to the application. Dremio automatically creates a new Dremio user account for anyone you assign to the SCIM application who does not already have an account. Follow the instructions in the Microsoft documentation to assign users and groups to an application.

New Dremio users can log in to Dremio immediately, and administrators can view their user accounts in Dremio. New users are automatically members of the PUBLIC role in Dremio.

Create Roles

If you add an Entra ID group to your SCIM application, Entra ID pushes your designated groups to Dremio as roles and populates the roles with the group's members. Follow the instructions in the Microsoft documentation to assign users and groups to an application.

Use Entra ID to manage any roles you create with Entra ID groups. Any changes you make to a role or its membership in Dremio are immediately overwritten by the next provisioning cycle from Entra ID. Making changes in Dremio can result in synchronization errors.

Update User Attributes

With SCIM provisioning configured, updates to user attributes in Entra ID are propagated to the user account in Dremio. Follow the instructions in the Microsoft documentation to edit user profile information.

The First name and Last name attributes in Entra ID are mapped to user accounts in Dremio. After you configure an application for SCIM provisioning in Entra ID and assign users to it, you can change these user attributes in Entra ID to update the corresponding user information in Dremio.

note

User email addresses are controlled by Entra ID rather than Dremio. If a user's email address changes, you must create a new user in Entra ID and assign them to the application for SCIM provisioning. Then, assign the new Entra ID user to the the SCIM application Entra ID (either individually as a user or by adding them to an assigned group). Entra ID creates a new Dremio user who can log in to Dremio with the new email address as a new user.

Deactivate Users

When you delete a user or group from the application for SCIM provisioning in Entra ID, the affected users become inactive in Dremio and cannot log in to Dremio at all, whether with Entra ID SSO or username and password.

To delete a user or group from your SCIM application in Entra ID:

  1. In the Azure portal under Azure services, click the Microsoft Entra ID tile.

  2. In the left-navigation menu under Manage, click Enterprise applications.

  3. Find your SCIM application in the list and click the application's name.

  4. In the left-navigation menu under Manage, click Users and groups.

  5. Click to select the checkbox for the user or group you want to remove.

  6. Click Remove.

  7. In the Do you want to remove these assignments? confirmation dialog, click Yes.

The users you deleted, whether individually or by their group membership, become inactive in Dremio. If you delete a group, Entra ID automatically removes the group's corresponding role in Dremio.

If you delete an Entra ID group, Entra ID automatically removes the group's corresponding role in Dremio and sets the group members' Dremio user accounts to inactive. Deleting an Entra ID group does not delete the group members' Dremio user accounts.

caution

To completely delete Dremio users, you must manually remove their user accounts in Dremio in addition to deleting the users and any groups they belong to from the SCIM application in Entra ID.