# Microsoft Azure / Entra ID SSO & SCIM provisioning

Integrate Microsoft Azure with Better Stack for Single Sign-On (SSO) and System for Cross-domain Identity Management (SCIM) provisioning.

## SSO setup

Set up SSO for your organization using Microsoft Azure.

1.  Go to [Single Sign-On Settings](https://betterstack.com/settings/sso ";_blank").
2.  Select **Microsoft Azure** from the list of providers.
3.  Log in to your Microsoft Azure account and grant permissions to the Better Stack app.
4.  After seeing a message "Azure Single Sign-On was successfully connected", you are all set.

## SCIM user provisioning

You can also use SCIM provisioning, which automates user management in Better Stack directly from Microsoft Azure.

1.  Go to [Single Sign-On Settings](https://betterstack.com/settings/sso/edit ";_blank"), go to the **Provisioning** tab, and click **Enable provisioning**.
2.  Open the **Better Stack Enterprise Application** in your Azure account.
3.  In the left menu, click **Provisioning**.
4.  Select **Automatic Provisioning Mode**.
5.  For **Tenant URL**, enter `https://betterstack.com/scim/v2`.
6.  Copy and paste your **Secret Token**.
7.  Click **Test Connection** to ensure Azure can connect to Better Stack.
8.  Click **Save**.

Provisioning is now active. Users and teams will now be automatically pushed from Azure to Better Stack.

### Group provisioning

Pushing user groups from Azure to Better Stack will create corresponding teams in Better Stack. Deprovisioning a group from Azure will delete the respective team and its resources in Better Stack.

[danger]
## Deprovisioning can cause data loss

Deprovisioning a group from Azure will **permanently delete all resources** associated with the team in Better Stack. Ensure that you have backed up or transferred any essential data before proceeding.
[/danger]

### Role-based provisioning

Better Stack supports provisioning users based on their roles. You can configure the role attribute in Azure by following these steps:

1.  Go to [Enable SCIM schema editor](https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true ";_blank") to enable custom attribute editing for SCIM provisioning.
2.  In the Azure portal, go to **Enterprise Applications**.
3.  Choose **Better Stack** from the list of applications.
4.  Go to **Manage → Provisioning**.
5.  Under **Mappings**, select **Provision Azure Active Directory Users**.
6.  Check the **Show advanced options** box, then click **Edit attribute list for Better Stack**.
7.  At the bottom of the attribute table, add a new attribute:
    *   **Name**: `roleName`.
    *   **Exact case?**: check the box.
    *   Click **Save**, and confirm with **Yes**.
8.  Go back to the **Attribute Mapping** page and click **Add New Mapping**.
    *   Under **Target attribute**, select the newly added `roleName` attribute. You can now map it like any other attribute.

#### Role-based provisioning: Step-by-step video guide

<div style="position: relative; padding-bottom: 57.6307363927428%; height: 0;"><iframe src="https://www.loom.com/embed/abbdc06ad8314fad9350a637e825d3df?sid=bb1d18a7-734b-4a3b-8b0d-42dc596e29f7" frameborder="0" webkitallowfullscreen mozallowfullscreen allowfullscreen style="position: absolute; top: 0; left: 0; width: 100%; height: 100%;"></iframe></div>

## Additional details

*   **User removal**: Deactivating a user in Azure will remove them from Better Stack.
*   **Reactivation**: Reactivating a user in Azure will automatically re-add them to Better Stack.

After configuring provisioning, use Azure’s provisioning logs to monitor user synchronization status.

You can find more details in the [Microsoft Entra SCIM provisioning tutorial](https://learn.microsoft.com/en-us/entra/identity/saas-apps/better-stack-provisioning-tutorial ";_blank").