Configuring Microsoft Entra ID SCIM for Cortex
This article explains how to configure Microsoft Entra ID SCIM to work with Cortex. If you're looking to turn on SSO in Cortex via Entra ID, refer to this article.
When Entra ID SCIM is configured, you can create, import, edit, and deactivate users.
Prior to configuring Entra ID SCIM, you must first turn on SCIM in Cortex. Refer to Configuring SCIM in Cortex for more information.
Prerequisites
Create an API key in Cortex that has the Admin role or a custom role that contains the Configure Open ID Connector & SCIM, Edit Roles, and Manage Identity Mappings permissions. See API Keys, Secrets, and Tokens for more information.
Be sure to copy the API key and save it for later. Do not skip this step—you can only view the key once!
Step 1: Adding an Entra ID non-gallery application for SCIM
You must be logged in to Entra ID as one of the following roles: Application Administrator, Cloud Application Administrator, or Global Administrator.
Log in to the Microsoft Entra Admin Center at https://entra.microsoft.com.
Navigate to Entra ID > Enterprise apps.
Click + New application.
Click + Create your own application.
Enter the application name, i.e.
Cortex SCIM.Select Integrate any other application you don't find in the gallery (Non-gallery).
Click Create.
Step 2: Configuring Entra ID automatic provisioning for SCIM
You must be logged in to Entra ID as one of the following roles: Application Administrator, Cloud Application Administrator, or Global Administrator.
Setting up the connection between Cortex and Entra ID
Log in to the Microsoft Entra Admin Center at https://entra.microsoft.com.
Navigate to Entra ID > Enterprise apps.
Open the Cortex SCIM application you created in Step 1: Adding an Entra ID Non-gallery Application for SCIM.
From the left menu, select Provisioning.
Click Connect your application.
Below Admin Credentials, complete the following fields:
From the Select authentication method drop-down menu, select Bearer authentication.
In the Tenant URL field, enter
https://api.getcortexapp.com/scim/v2.In the Secret token field, enter your Cortex-generated API key.
Click Test Connection. A Success message appears.
Click Create.
Configuring scope in Entra ID
Follow the steps below to set the user provisioning scope.
Log in to the Microsoft Entra Admin Center at https://entra.microsoft.com.
Navigate to Entra ID > Enterprise apps.
Open the Cortex SCIM application you created in Step 1: Adding an Entra ID Non-gallery Application for SCIM.
From the left menu, select Provisioning.
Select the Properties tab.
Click the pencil icon next to Basics.
In the right panel, locate the Scope drop-down menu, then choose one of the following options:
Sync only assigned users and groups (recommended) - Only users explicitly assigned to the Cortex SCIM app will be provisioned in Cortex.
Sync all users and groups - All users in your directory will be provisioned in Cortex.
Step 3: Enabling and verifying Entra ID SCIM provisioning
You must be logged in to Entra ID as one of the following roles: Application Administrator, Cloud Application Administrator, or Global Administrator.
When SCIM provisioning is turned on with Entra ID, the following happens:
Entra ID begins the initial synchronization with Cortex. This process may take 15 to 20 minutes.
Entra ID triggers ongoing incremental synchronizations with Cortex every 40 minutes.
You can monitor the synchronization status in Entra ID via the provisioning logs.
Users are created in Cortex based on the user assignments configured in Entra ID.
Turning on provisioning in Entra ID
Follow the steps below to enable user provisioning in Entra ID.
Log in to the Microsoft Entra Admin Center at https://entra.microsoft.com.
Navigate to Entra ID > Enterprise apps.
Open the Cortex SCIM application you created in Step 1: Adding an Entra ID Non-gallery Application for SCIM.
From the left menu, select Provisioning.
Click Start Provisioning.
Verifying provisioning in Entra ID
Follow the steps below to confirm successful user provisioning in Entra ID.
Log in to the Microsoft Entra Admin Center at https://entra.microsoft.com.
Navigate to Entra ID > Enterprise apps.
Open the Cortex SCIM application you created in Step 1: Adding an Entra ID Non-gallery Application for SCIM.
From the left menu, select Provisioning.
From the left menu, select Provisioning logs.
Review the logs for any errors.
Verify that users display a Success status.
Entra ID synchronizes with Cortex every 40 minutes. If you are within the 40-minute window, there may not be any recent information in the logs.
Verifying provisioning in Cortex
Follow the steps below to confirm successful user provisioning in Cortex.
Log in to Cortex.
From the main sidebar, click your avatar in the bottom-left corner.
Click Settings.
From the Settings menu, scroll to the Security and access section, then select Permissions.
Confirm that users are listed in the Users tab.
You can change the default role assigned to new users who are provisioned from Entra ID. Select the Default role drop-down menu to change the default role.
Deprovisioning users
When a user is removed or deprovisioned in Entra ID, the following happens in Cortex:
The user's roles are removed
The user's team memberships are removed
The user's personal API keys are deleted
All of the user's active sessions are immediately invalidated
Deprovisioned users can no longer access Cortex, even if they had an active browser session at the time of removal. No additional action is required to enforce access revocation—removal from your identity provider is sufficient.
Verifying a user has been deprovisioned in Cortex:
Log in to Cortex.
From the main sidebar, click your avatar in the bottom-left corner.
Click Settings.
From the Settings menu, scroll to the Security and access section, then select Permissions.
Select the Users tab, then verify that the user has been removed.
Last updated
Was this helpful?