Skip to main content

Configure SCIM Provisioning with Microsoft Entra ID Enterprise

Dremio supports System for Cross-domain Identity Management (SCIM) to integrate Microsoft Entra ID with Dremio for managing external users. When properly configured, Microsoft Entra ID automatically creates Dremio user accounts if they do not already exist. Entra ID also automatically updates user attributes in Dremio, deactivates Dremio user accounts, and creates roles in Dremio based on groups in Microsoft Entra ID.

note

In addition to SCIM provisioning, you can configure Microsofrt Entra ID as an identity provider (IdP) in Dremio. Follow the instructions in Configure Microsoft Entra ID as an Identity Provider to add Microsoft Entra ID as a single sign-on (SSO) IdP in Dremio.

Prerequisites

Configuring SCIM provisioning in Microsoft Entra ID requires:

  • Privileges in Microsoft Entra ID that permit you to register and configure applications
  • A Dremio personal access token (PAT) for Dremio user who is a member of the ADMIN role

Configure an Application for SCIM Provisioning

To create an application for SCIM provisioning in Microsoft Entra ID:

  1. In the Azure portal under Azure services, click the Microsoft Entra ID tile.

  2. In the left-navigation menu under Manage, click Enterprise applications.

  3. Click New application.

  4. Click Create your own application.

  5. In the Create your own application panel, type a name for the application in the provided field.

  6. Under What are you looking to do with your application? select the Integrate any other application you don't find in the gallery (Non-gallery) option.

  7. Click the Create button.

  8. In the left-navigation menu under Manage, click Provisioning.

  9. Click the Get started button.

  10. In the Provisioning Mode drop-down list, select Automatic.

  11. Under Admin Credentials, enter the correct Tenant URL for your control plane:

    • US control plane: https://scim.dremio.cloud/scim/v2/?aadOptscim062020
    • EU control plane: https://scim.eu.dremio.cloud/scim/v2/?aadOptscim062020

    note

    The Tenant URL must include the aadOptscim062020 query parameter due to a Microsoft Entra ID issue with SCIM 2.0 compliance.

    If you previously configured a SCIM app with Microsoft Entra ID, SCIM syncing may fail for requests to deactivate users, add and update user attributes, and remove group members. If you observe these failures, follow the Microsoft documentation to upgrade from the older customappsso job to the SCIM job.

  12. Enter your Dremio PAT in the Secret Token field.

  13. (Optional) Click Test Connection to confirm that Microsoft Entra ID can connect to the tenant URL.

  14. Click Save.

  15. (Optional) Click the down-arrow next to Settings, and adjust the settings as desired. Click Save when you are finished.

  16. Return to the Provisioning Overview page for the application.

  17. In the left-navigation menu under Manage, click Provisioning.

  18. Under Provisioning Status, toggle the setting to On.

  19. Click Save.

SCIM provisioning is now configured and enabled. You can create users, update user attributes, and deactivate users in Dremio, all from Microsoft Entra ID.

note

Read Microsoft's documentation about how long it takes to provision users for details about Microsoft Entra ID's initial and incremental provisioning cycles.

If desired, you can use Microsoft Entra ID's scoping filters to apply attribute-based rules for user provisioning. Read Scoping users or groups to be provisioned with scoping filters in the Microsoft documentation for more information.

Create Users

After you configure a Microsoft Entra ID application for SCIM provisioning, you must assign users and groups to the application. Dremio automatically creates a new Dremio user account for anyone you assign to the SCIM application who does not already have an account. Follow the instructions in the Microsoft documentation to assign users and groups to an application.

New Dremio users can log in to Dremio immediately, and administrators can view their user accounts in Dremio. New users are automatically members of the PUBLIC role in Dremio.

Create Roles

If you add a group to your SCIM application in Microsoft Entra ID, your designated group becomes a role in Dremio populated with the group's members. Follow the instructions in the Microsoft documentation to assign users and groups to an application.

Use Microsoft Entra ID to manage any roles you create with groups. Any changes you make to a role or its membership in Dremio are immediately overwritten by the next provisioning cycle from Microsoft Entra ID. Making changes in Dremio can result in synchronization errors.

Update User Attributes

With SCIM provisioning configured, updates to user attributes in Microsoft Entra ID are propagated to the user account in Dremio. Follow the instructions in the Microsoft documentation to edit user profile information.

The First name and Last name attributes in Microsoft Entra ID are mapped to user accounts in Dremio. After you configure an application for SCIM provisioning in Microsoft Entra ID and assign users to it, you can change these user attributes in Microsoft Entra ID to update the corresponding user information in Dremio.

note

Microsoft Entra ID controls user email addresses. If a user's email address changes, you must create a new user in Microsoft Entra ID and assign them to the application for SCIM provisioning. Then, assign the new Microsoft Entra ID user to the SCIM application (either individually as a user or by adding them to an assigned group). Microsoft Entra ID creates a new Dremio user who can log in to Dremio with the new email address as a new user.

Deactivate Users

When you delete a user or group from the application for SCIM provisioning in Microsoft Entra ID, the affected users become inactive in Dremio and cannot log in to Dremio at all, whether with Microsoft Entra ID SSO or username and password.

To delete a user or group from your SCIM application in Microsoft Entra ID:

  1. In the Azure portal under Azure services, click the Microsoft Entra ID tile.

  2. In the left-navigation menu under Manage, click Enterprise applications.

  3. Find your SCIM application in the list and click the application's name.

  4. In the left-navigation menu under Manage, click Users and groups.

  5. Click to select the checkbox for the user or group you want to remove.

  6. Click Remove.

  7. In the Do you want to remove these assignments? confirmation dialog, click Yes.

The users you deleted, whether individually or by their group membership, become inactive in Dremio. If you delete a group, Microsoft Entra ID automatically removes the group's corresponding role in Dremio.

If you delete a group in Microsoft Entra ID, the group's corresponding role is automatically removed in Dremio and the group members' Dremio user accounts are set to inactive. Deleting a Microsoft Entra ID group does not delete the group members' Dremio user accounts.

caution

To completely delete Dremio users, you must manually remove their user accounts in Dremio in addition to deleting the users and any groups they belong to from the SCIM application in Microsoft Entra ID.