SCIM (System for Cross-domain Identity Management) is a standard for provisioning and deprovisioning users and groups in an organization. Bytebase implements SCIM 2.0 and provides built-in support for Entra ID (Azure AD).
IdPUserGroupRoleInterval
Entra ID (Azure AD)Sync name and emailSync group email and membership40 minutes

Prerequisites

  • You must be the Workspace Admin to configure SCIM.
  • Configure External URL.

Entra ID

Tutorial: Managing user account provisioning for enterprise apps in Entra

Create enterprise application

Sign in to the Entra ID Admin Center Dashboard. Select Enterprise applications and click New application. create-application Select Create your own application. Give your application a descriptive name, and select Integrate any other application you don’t find in the gallery (Non-gallery) option, then click Create. create-own-application

Create provision

Go to the application detail page. Select Provision User Accounts. provision-user-accounts Click Get Started button. provision-get-started Change Provisioning Mode to Automatic. provision-automatic Go to your Bytebase console, navigate to Security & Policy -> Users & Groups page. Click Sync From Entra ID (Azure AD). bytebase-sync-from-entra Copy the Endpoint and Secret Token.
Bytebase endpoint implements SCIM protocol, please make sure you have configured External URL and it’s network accessible from Entra.
bytebase-setting Go back to Entra console, paste the Endpoint and Secret Token above to Tenant URL and Secret Token respectively. Click Test Connection and save upon success. provision-admin-credentials

Edit attribute mapping

Continue the provision, click Mappings and click Provision Microsoft Entra ID Groups. provision-group
Bytebase relies on email to uniquely identify an user. Thus you need to disable the displayName mapping and only enable the id mapping and use mail as the source attribute.
Click Edit button for the displayName row. mapping-edit-display-name Change Match objects using this attribute to No. mapping-display-name Click Edit button for the externalId row. mapping-edit-external-id
  • Change Source attribute to mail.
  • Change Match objects using this attribute to Yes.
  • Set Matching precedence to 1.
edit-external-id The final mappings look like this. mapping

Assign users and groups

In order for your users and groups to be synced to Bytebase, you will need to assign them to your Entra SCIM application. Select Users and groups and click Add user/group. add-user-group Click None selected under the Users and Groups. Select the users and groups that you want to add to the SCIM application, and click Select and Assign. assign-user-group

Turn on provisioning

On the application overview page, click Start provisioning. To test syncing, we recommend starting with Provision on demand for a subset of users or groups. start-provision Afterwards, Entra will sync the users and groups to Bytebase periodically.