Set Up User-Specific Provisioning Using Microsoft Entra App Roles
With Vanta, you can assign user-specific roles by connecting Microsoft Entra App Roles to Vanta roles using SCIM. This setup is perfect for admins who want more control over what users can access in Vanta, based on their role in your identity provider. Once configured, users will be automatically assigned the correct role in Vanta when they’re added to the app in Entra with no manual updates needed.
Follow the Directory Sync setup instructions until Step 4: Set up application attribute mapping.
This is where we will map an Entra attribute to the Vanta rbac_role_id attribute. In this example, we will use userType.
Update the Directory Provider Value attribute_name to userType
In Azure, go to your app's Users and groups section and click on application registration.
In the App Roles page, click Create App Role.
Create an app role for each Vanta role you want to enable through SCIM. Give it a descriptive name and value (we will map these to role IDs in the next step).
Return to your application and go to the Provisioning section.
Go to Provisioning followed by Mappings and click on Provision Microsoft Entra ID Users.
Click Add New Mapping
Select Mapping type: Expression and Target attribute: userType
For the expression, we will set up an if-else that maps App Role Assignment to Vanta role ID, using the values from the Vanta UI:
IIF(SingleAppRoleAssignment([appRoleAssignments])="Vanta admins",
"0000005ddeface0000000001",
IIF(SingleAppRoleAssignment([appRoleAssignments])="Vanta sales admins",
"0000005ddeface0000000008",
"0000005ddeface0000000003"
)
)
In this example, we assign the Admin role if the assignment is to “Vanta admins,” the Trust Collaborator role if it is to “Vanta trust collaborators,” and the Employee role otherwise. If you are mapping additional roles, you may add extra clauses to the if-else.
Assign roles to your users by returning to the Users and Groups section and clicking Add user/group.
You will be prompted to select an app role assignment for the users you add.
Return to the WorkOS setup instructions to complete setup.
Set Up Team-Specific SCIM Provisioning in Microsoft Entra (Azure AD)
To sync Teams from Microsoft Entra to Vanta using SCIM, you'll need to use Dynamic Groups or Security Groups paired with provisioning settings in your Entra enterprise application. Follow these steps to ensure your Entra group syncs into Vanta:
Go to your Enterprise Application connected to Vanta
Navigate to Microsoft Entra Admin Center
Select Enterprise applications
Choose the app you’ve configured for SCIM (e.g., Vanta SCIM Provisioning)
Create and Assign Entra Groups
In Microsoft Entra, go to Enterprise Applications
Select the SCIM app you just connected to Vanta
Click Users and Groups
Select + Add user/group
Choose a Security Group or Dynamic Group
Assign the group to the app
These groups will be provisioned to Vanta as Teams
Confirm SCIM provisioning is enabled
Go to Provisioning
Under Mappings, select Provision Azure Active Directory Groups
Make sure Group mappings are configured to send the group display name and members
Sync Group Membership to Vanta as Teams
Once provisioning runs, each assigned group will appear in Vanta as a Team
Members of the group in Entra will automatically be assigned to the corresponding Team in Vanta
Important Notes:
The Team name in Vanta will mirror the group’s display name in Entra
Users can be part of multiple groups and will appear in multiple Vanta Teams
Provisioning may take a few minutes to reflect changes use the Provision on Demand option to trigger immediately if needed
This configuration is especially useful for managing large organizations or role-based permissions, ensuring that Vanta's Team structure reflects your identity provider’s setup without manual effort.