Skip to main content

Assigning Roles and Teams via SCIM in Microsoft Entra ID

This guide explains how to configure Microsoft Entra ID (formerly Azure AD) to assign roles and teams when provisioning or updating users in Zeeg via SCIM.

Written by Emma Gamradt
Updated over 2 months ago

Prerequisites

  • SSO is configured between your Entra tenant and Zeeg.

  • SCIM provisioning is enabled in Zeeg (Settings > Security > SCIM).

  • You have the SCIM Tenant URL and Bearer Token from Zeeg.

How it works

Zeeg uses a custom SCIM extension schema to receive role and team assignments:

urn:ietf:params:scim:schemas:extension:zeeg:2.0:User

This extension carries two attributes:

Attribute

Type

Description

role

String

The user's role in the Zeeg organization

teams

Array of objects

Teams the user should belong to

Available roles

Role

Description

admin

Full administrative access to the organization

user

Standard member (default if no role is specified)

external

Limited external collaborator access

The owner and partner roles cannot be assigned or overwritten via SCIM.

Configuring attribute mappings in Entra ID

Step 1: Open provisioning settings

  1. Go to Microsoft Entra admin center > Enterprise Applications.

  2. Select your Zeeg application.

  3. Go to Provisioning > Edit provisioning > Mappings.

  4. Click on Provision Microsoft Entra ID Users.

Step 2: Add the role attribute

  1. Click Add New Mapping.

  2. Configure as follows:

Field

Value

Mapping type

Direct

Source attribute

(see options below)

Target attribute

urn:ietf:params:scim:schemas:extension:zeeg:2.0:User:role

Match objects using this attribute

No

Apply this mapping

Always

Source attribute options:

  • Option A — From a user attribute: Use a synced AD attribute (e.g., jobTitle, department, or a directory extension attribute) that contains the value admin, user, or external.

  • Option B — Expression: Use an Entra expression to map values. For example:

Switch([department], "user", "IT", "admin", "Engineering", "admin", "Contractors", "external")

This maps the IT and Engineering departments to admin, Contractors to external, and everything else defaults to user.

  • Option C — Constant value: Set a fixed role for all provisioned users (e.g., user).

Step 3: Add the teams attribute

  1. Click Add New Mapping.

  2. Configure as follows:

Field

Value

Mapping type

Expression

Expression

(see below)

Target attribute

urn:ietf:params:scim:schemas:extension:zeeg:2.0:User:teams

The teams attribute expects a JSON array of objects. Each object must include either a uuid OR a slug identifying the Zeeg team:

Using team‘s UUID:

[
 { "uuid": "a1b2c3d4-e5f6-..." },
]

Using team‘s slug:

[
 { "slug": "engineering" }
]

Finding team UUIDs or slugs:

  • In Zeeg, go to Settings > Organization > Teams.

  • Each team has a UUID (visible in the URL or API) and a slug (the URL-friendly name).

Expression examples:

  • Single team for all users (constant): 

    "[{""slug"": ""default-team""}]"

  • Map by department: 

    Switch([department], "[{""slug"": ""general""}]", "Engineering", "[{""slug"": ""engineering""}]", "Sales", "[{""slug"": ""sales""}]")

When you send teams via a PUT or PATCH update, Zeeg performs a full sync — the user will be removed from any teams not included in the list and added to the ones specified. On initial creation (POST), teams are only added.

Example SCIM payloads

Creating a user with role and teams

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User",
    "urn:ietf:params:scim:schemas:extension:zeeg:2.0:User"
  ],
  "userName": "jane.doe@example.com",
  "name": {
    "givenName": "Jane",
    "familyName": "Doe"
  },
  "emails": [
    { "primary": true, "value": "jane.doe@example.com", "type": "work" }
  ],
  "active": true,
  "urn:ietf:params:scim:schemas:extension:zeeg:2.0:User": {
    "role": "admin",
    "teams": [
      { "slug": "engineering" },
    ]
  }
}

Updating a user's role (PATCH)

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    {
      "op": "Replace",
      "path": "urn:ietf:params:scim:schemas:extension:zeeg:2.0:User:role",
      "value": "user"
    }
  ]
}

Updating a user's teams (PATCH)

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [
    {
      "op": "Replace",
      "path": "urn:ietf:params:scim:schemas:extension:zeeg:2.0:User:teams",
      "value": [
        { "slug": "sales" },
        { "slug": "marketing" }
      ]
    }
  ]
}

Behavior summary

Action

Role

Teams

Create (POST)

Assigned from payload; defaults to user

Additive — user is added to listed teams

Replace (PUT)

Updated if valid and current role is not owner/partner

Full sync — user is removed from unlisted teams and added to new ones

Update (PATCH)

Updated if valid and current role is not owner/partner

Full sync — same as PUT

Attribute not sent

Defaults to user on create; unchanged on update

No changes on update

Troubleshooting

Issue

Cause

Solution

Role not applied

Value is not one of admin, user, external

Verify the mapped value is lowercase and matches exactly

Teams not assigned

Team UUID or slug does not exist in the org

Double-check team identifiers in Zeeg settings

User removed from teams after update

PUT/PATCH syncs teams (full replacement)

Always include all desired teams in the payload

owner role not settable

Protected role

The owner role can only be set from within Zeeg

SCIM token rejected

Token expired or SCIM was re-enabled

Generate a new token in Zeeg and update Entra

Related Articles
How to configure SCIM with Microsoft Entra ID
How to setup SSO with Microsoft Entra ID (SAML)
Did this answer your question?