Security
SCIM
SCIM (System for Cross-domain Identity Management) is a standard for provisioning and deprovisioning users and groups in an organization.
Bytebase implements SCIM 2.0 and provides built-in support for Entra ID (Azure AD).
Select Create your own application. Give your application a descriptive name, and select Integrate any other application you don’t find in the gallery (Non-gallery) option, then click Create.
Click Get Started button.
Change Provisioning Mode to Automatic.
Go to your Bytebase console, navigate to Security & Policy -> Users & Groups page. Click Sync From Entra ID (Azure AD).
Copy the Endpoint and Secret Token.
Go back to Entra console, paste the 
Click Edit button for the 
Change Match objects using this attribute to 
Click Edit button for the 
The final mappings look like this.
Click None selected under the Users and Groups. Select the users and groups that you want to add to the SCIM application, and click Select and Assign.
Afterwards, Entra will sync the users and groups to Bytebase periodically.
| IdP | User | Group | Role | Interval |
|---|---|---|---|---|
| Entra ID (Azure AD) | Sync name and email | Sync group email and membership | ❌ | 40 minutes |
Prerequisites
- You must be the Workspace Admin to configure SCIM.
- Configure External URL.
Entra ID
Tutorial: Managing user account provisioning for enterprise apps in Entra
Create enterprise application
Sign in to the Entra ID Admin Center Dashboard. Select Enterprise applications and click New application.
Select Create your own application. Give your application a descriptive name, and select Integrate any other application you don’t find in the gallery (Non-gallery) option, then click Create.
Create provision
Go to the application detail page. Select Provision User Accounts.
Click Get Started button.
Change Provisioning Mode to Automatic.
Go to your Bytebase console, navigate to Security & Policy -> Users & Groups page. Click Sync From Entra ID (Azure AD).
Copy the Endpoint and Secret Token.
Bytebase endpoint implements SCIM protocol, please make sure you have configured External URL and it’s network accessible from Entra.
Go back to Entra console, paste the Endpoint and Secret Token above to Tenant URL and Secret Token respectively.
Click Test Connection and save upon success.
Edit attribute mapping
Continue the provision, click Mappings and click Provision Microsoft Entra ID Groups.
Bytebase relies on email to uniquely identify an user. Thus you need to disable the
displayName mapping and only
enable the id mapping and use mail as the source attribute.displayName row.
Change Match objects using this attribute to No.
Click Edit button for the externalId row.
- Change Source attribute to
mail. - Change Match objects using this attribute to
Yes. - Set Matching precedence to
1.
The final mappings look like this.
Assign users and groups
In order for your users and groups to be synced to Bytebase, you will need to assign them to your Entra SCIM application. Select Users and groups and click Add user/group.
Click None selected under the Users and Groups. Select the users and groups that you want to add to the SCIM application, and click Select and Assign.
Turn on provisioning
On the application overview page, click Start provisioning. To test syncing, we recommend starting with Provision on demand for a subset of users or groups.
Afterwards, Entra will sync the users and groups to Bytebase periodically.