Azure SCIM Attribute Instructions

  • Updated
  • Follow the Directory Sync setup instructions until Step 4: Set up application attribute mapping
  • This is where we will map an Entra attribute to the Vanta rbac_role_id attribute. In this example, we will use userType.


  • In Azure, go to your app's Users and groups section and click on application registration. 

  • In the App Roles page, click Create App Role.

  • Create an app role for each Vanta role you want to enable through SCIM. Give it a descriptive name and value (we will map these to role IDs in the next step).

  • Return to your application and go to the Provisioning section.

  • Go to Provisioning followed by Mappings and click on Provision Microsoft Entra ID Users.

  • Click Add New Mapping

  • Select Mapping type: Expression and Target attribute: userType 

  • For the expression, we will set up an if-else that maps App Role Assignment to Vanta role ID, using the values from the Vanta UI:


IIF(SingleAppRoleAssignment([appRoleAssignments])="Vanta admins", 


IIF(SingleAppRoleAssignment([appRoleAssignments])="Vanta sales admins", 




  • In this example, we assign the Admin role if the assignment is to “Vanta admins”, the Sales Admin role if the assignment is to “Vanta sales admins”, and the Employee role otherwise. If you are mapping additional roles, you may add extra clauses to the if-else.
  • Assign roles to your users by returning to the Users and Groups section and clicking Add user/group.

  • You will be prompted to select an app role assignment for the users you add.


  • Return to the WorkOS setup instructions to complete setup.