Onboard a Team with SCIM
Copy for LLM
Copy page as Markdown for LLMs
View as Markdown
Open this page as Markdown
Open in ChatGPT
Get insights from ChatGPT
Open in Claude
Get insights from Claude

Your organization uses SCIM to provision users from Entra ID. You want the Finance team group from Entra ID to sync automatically into Aritma, so you can grant the entire team access in one step — without managing users manually.

Approach: Create and populate the group in Entra ID, assign it to the SCIM application, wait for sync, then apply a single policy to the synced group in Aritma.

Prerequisites

SCIM provisioning configured — see Set Up Enterprise SSO and SCIM
An access token with IAM admin permissions
The scope URI for the subscription you want to grant access to

Step 1: Create the group in Entra ID

In the Azure portal, go to Entra ID → Groups and create a new group named Finance Team. Add the users who need access as members.

Tip

Group names sync as-is into Aritma. Use a consistent naming convention if you plan to manage multiple synced groups.

Step 2: Assign the group to your SCIM application

In Entra ID → Enterprise Applications, open the application configured for Aritma SCIM provisioning. Under Users and groups, add the Finance Team group.

Entra ID will provision the group and its members to Aritma on the next sync cycle. You can trigger an immediate sync from the Provisioning tab by clicking Provision on demand.

Step 3: Verify the group synced in Aritma

Retrieve all subject groups in your tenant and confirm the Finance Team group appears:

curl -i -X GET \
  'https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/subjects/groups?searchQuery=john&page=1&pageSize=100' \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>'

Locate the Finance Team entry in the response and note its subjectId — you will use it as the subject in the policy.

{
  "id": "7c9e6679-7425-40de-944b-e07fc1f90ae7",
  "displayName": "Finance Team",
  "subjectId": "group-7c9e6679-7425-40de-944b-e07fc1f90ae7",
  "type": "Group"
}

Step 4: Assign a policy to the synced group

curl -i -X POST \
  https://developer.aritma.com/_mock/apis/platform/iam/openapi/iam-openapi/v1/policies \
  -H 'Authorization: Bearer <YOUR_TOKEN_HERE>' \
  -H 'Content-Type: application/json' \
  -d '{
    "subject": "user-00000000-0000-0000-0000-000000000000",
    "scope": "/subscriptions/123",
    "action": "iam.policy.read"
  }'

Use the group's subjectId as the policy subject. All current and future members of the group inherit this policy immediately — including new members added in Entra ID and synced via SCIM.

Next steps

To add more users to the team, update group membership in Entra ID — SCIM will sync the changes automatically
To revoke access for the entire team, delete the policy or remove the group assignment from the SCIM application
To see what the group can currently do, use View group permissions

Onboard a Team with SCIMCopyCopy for LLMCopy page as Markdown for LLMsView as MarkdownOpen this page as MarkdownOpen in ChatGPTGet insights from ChatGPTOpen in ClaudeGet insights from Claude