# Entra ID

To set up SCIM in Entra ID for BirdCRM, you first need to establish the SCIM connection and settings. After that, you’ll configure Push Groups to link BirdCRM Groups with that assigned role(s) roles for user provisioning.

This section is divided into four parts:

1. [BirdCRM Steps for SCIM Configuration](#birdcrm-steps-for-scim-configuration)
2. [Entra ID configuration](#entra-id-configuration)
3. [Group-based Role Assignment](#group-based-role-assignment)
4. [BirdCRM Final step](#birdcrm-final-step)

### BirdCRM Steps for SCIM Configuration

1. Navigate to the **SCIM Settings** page which is available [here](https://app.bird.com/settings/security/scim-settings) or  go by visiting **Settings** > **Security** > **SCIM Settings**. 

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcHLLFrgOthb05LR0QX_ezWbdcr-ROTRPVP0-gu2Vcq2SYbczxVLYJ0xBxxEVNVBr1sF0YQXRr7--IaFg5tPu9fH35vpPGncfyrulIWTEM047oRRwafRu5oAyB2sXO1-EtnQoKNKsv-TvS7zly7c1ak5z4?key=G4cws1tM_IONCfaBmekmJw" alt=""><figcaption></figcaption></figure>

2. Copy the **SCIM Base URL** by clicking “Copy” next to it. You’ll need this URL for the Entra ID setup in the next section.
3. Click on **Add new access key** and fill out a meaningful **Name** and **Description** and click **Save**.&#x20;

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXcGMYeNNtvvWBMBw-BG7vwkinMSPx8FnH29H5FQuz_XZycHHTUmeuBrr8t3WRKaI8Q9ntAkV4NwLtljXVS8j3qtez9lwbMDJA2VNYGrrCdfedMSIteHYPcwa6JuWvPkicrijmDsuR6NNJx9xC3a-nHk2A?key=G4cws1tM_IONCfaBmekmJw" alt=""><figcaption></figcaption></figure>

4. Once your Access Key appears, copy it and save it securely. You won’t be able to view it again, and you’ll need it to configure Entra ID later.

### Entra ID configuration

1. To enable SCIM provisioning of users, you’ll need to set up an **Enterprise Application** in Entra ID. If you haven’t created this application yet, please refer to the [Entra ID SSO section](https://docs.bird.com/applications/~/changes/SidqSnOUVNHmcp2wkLG7/account-and-billing/account/organization-settings/single-sign-on-sso/entra-id).&#x20;
2. From the Overview page of your BirdCRM Enterprise Application, click on **3. Provision User Accounts** followed by **Get Started**.

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXdjBsPY3b9n_vxNAQq0ASeHRuIKmP63TWKU6D2MN2fgCa3zMd5-hd5qn8Xztkrkx-GT9YPidfHooXPueha6FsDjDTeVyAQnfTatFJw13-yn2ROKAcU-zz0VHCqtJmrDl1CcPhTVVRx3RS8tS1Z71WKLYQ?key=G4cws1tM_IONCfaBmekmJw" alt=""><figcaption></figcaption></figure>

3. Change the **Provisioning Mode** to **Automatic** and copy the SCIM Base URL from **Step 2** and paste  into the **Tenant URL**.&#x20;
4. Copy the **Access Key** you created in the previous section into the **Secret Token**. Click on **Test Connection** to make sure the setup works. If the data entered is correct you will receive a success message and be able to click **Save**.&#x20;

<figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXct7S6wMoW7az0_p630WzNwjS3yS_mpwKJKIDCF1wowHp_L1fXXXB3g_Wf1SU30nnN-lJ3fcDGZcobln1nknIEugUsPIrSa2gD-oneE3wEi6Ji5uWHU2vLugsFrgY_99At0UG-gbP7TPxoBAQURa85-aSY?key=G4cws1tM_IONCfaBmekmJw" alt=""><figcaption></figcaption></figure>

4. Once the settings have saved you will be able to expand the **Mappings** section. Click on **Provision Microsoft Entra ID Users**.&#x20;

<figure><img src="https://3861485111-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FU9kiDiTGVD8kkbnKKyEn%2Fuploads%2FoQTdSebdrhDNzdlEH4wJ%2Fimage.png?alt=media&#x26;token=0a58fde4-0a6c-4f6c-ae9b-7f0673af74e9" alt=""><figcaption></figcaption></figure>

5. Scroll to the **Attribute Mappings** and remove all attributes except for **userName, active, and displayName** as shown in the screenshot below:

<figure><img src="https://3861485111-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FU9kiDiTGVD8kkbnKKyEn%2Fuploads%2F31L9ioEH4ZFxj3ifHRXX%2Fimage.png?alt=media&#x26;token=5f137550-47ae-4e6a-aa20-ff5bf807b630" alt=""><figcaption></figcaption></figure>

6. Click on **Save** and return to your **Enterprise Application**. You can now turn **Provisioning Status** to **On** and assign users and groups to the application which will be created in your BirdCRM organization.&#x20;

<figure><img src="https://3861485111-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FU9kiDiTGVD8kkbnKKyEn%2Fuploads%2FlOGEONEpGsTvdvXZrfm9%2Fimage.png?alt=media&#x26;token=d89d4acd-88b2-40dc-8377-2de3750f09d0" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
At this stage SCIM is technically set up and users can be assigned the application via an **Individual** or **Group assignment** and will be created in your organization. They will not be assigned with a role though and would need one manually applied to be able to login. In order to automatically assign a role or roles to your users you can setup **Push Groups** and **Groups** in BirdCRM.
{% endhint %}

### Group-based Role Assignment

Group-based Role Assignments offer flexibility in managing users’ access to BirdCRM. \
You can scope roles to one or more workspaces and create granular access which is automatically managed via Entra ID.&#x20;

In order to set up Group-based Role Assignment, you first need to push any groups to BirdCRM Groups and then assign the roles you would like per Group. Once you have the roles setup any users you add to the synced Entra ID groups will automatically receive the roles defined on the BirdCRM Groups.&#x20;

#### Entra ID Steps

1. First, verify that you have the **Provision Microsoft Entra ID Group**s enabled under Mappings.

<figure><img src="https://3861485111-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FU9kiDiTGVD8kkbnKKyEn%2Fuploads%2FktLX5Qr3RfqL2C8lS1Zv%2Fimage.png?alt=media&#x26;token=b0a91a09-bfdf-4865-b114-38fab3ca52c2" alt=""><figcaption></figcaption></figure>

2. Any groups that are assigned access to the application in **Entra ID** will have a synced BirdCRM Group created. As an example below, the BirdCRM Marketing Team group in **Entra ID** is assigned to the BirdCRM Enterprise Application with SCIM enabled.&#x20;

<figure><img src="https://3861485111-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FU9kiDiTGVD8kkbnKKyEn%2Fuploads%2FnvfJSBFGTvSjGScYa70K%2Fimage.png?alt=media&#x26;token=2443d0e5-a546-41b5-924b-15556d69060b" alt=""><figcaption></figcaption></figure>

3. A group with the same name is created in BirdCRM

<figure><img src="https://3861485111-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FU9kiDiTGVD8kkbnKKyEn%2Fuploads%2Flj6ZAvCifm9Et4DveFIK%2Fimage.png?alt=media&#x26;token=bc6ed4be-dec6-4ece-b46a-e4b77cc59fc4" alt=""><figcaption></figcaption></figure>

4. You can assign multiple groups to the application in **Entra ID** depending on your access control needs.&#x20;

### BirdCRM Final step

1. Navigate to the **Groups** section of the Organization tab in Settings which is available [here](https://app.bird.com/settings/organization/groups).
2. Click on the **Group** you would like to assign a role or multiple roles to and click **View group**.&#x20;

<figure><img src="https://3861485111-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FU9kiDiTGVD8kkbnKKyEn%2Fuploads%2FcKvKCAdPp9RHjKdOTL1h%2Fimage.png?alt=media&#x26;token=ff2b3089-c4c6-4869-ae8e-ef5ea1455fba" alt=""><figcaption></figcaption></figure>

3. Here you will see the Group overview including roles and group members. In order to add a role to the **Group**, click on **Add new role**, select a **Role** from the available choices and optionally select one or more **Workspaces** to restrict the role access to.&#x20;

<figure><img src="https://3861485111-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FU9kiDiTGVD8kkbnKKyEn%2Fuploads%2FFaHbWigZXFhppoNzRvJQ%2Fimage.png?alt=media&#x26;token=4afb8126-9536-4551-a513-52d2b1a26607" alt=""><figcaption></figcaption></figure>

4. You can add multiple roles to the Group by continuing to click **Add new role** and selecting a **Role** and optionally one or more Workspaces to restrict the access to.&#x20;
5. Click on **Update** and the roles will then be assigned to any Users of the Group.&#x20;

{% hint style="success" %}
Any new users that are added to the linked Entra ID group will then get added to the BirdCRM Group and receive the associated roles.
{% endhint %}