Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article explains how to configure Microsoft Entra ID to automatically provision and deprovision users or groups to Harness. Automatic provisioning eliminates manual user management by synchronizing user lifecycle changes from your identity provider to Harness.
Note
This article describes a connector that is built on top of the Microsoft Entra user provisioning service. For information about this service, see Automate user provisioning and deprovisioning to SaaS applications with Microsoft Entra ID.
Prerequisites
The scenario outlined in this article assumes that you have the following prerequisites:
- A Microsoft Entra user account with an active subscription. If you don't already have one, you can Create an account for free.
- One of the following roles:
- A Harness tenant
- A user account in Harness with Admin permissions
Assign users to Harness
Before you configure provisioning, you must assign users or groups to the Harness application in Microsoft Entra ID. Microsoft Entra ID uses assignments to determine which users should receive access to selected applications. In the context of automatic user provisioning, only the users or groups that have been assigned to an application in Microsoft Entra ID are synchronized.
Before you configure and enable automatic user provisioning, decide which users or groups in Microsoft Entra ID need access to Harness. You can then assign these users or groups to Harness by following the instructions in Assign a user or group to an enterprise app.
Recommendations for user assignment
Start with a small test group before you roll out provisioning to your entire organization. Assign a single Microsoft Entra user to Harness to test the automatic user provisioning configuration. After you verify that provisioning works correctly, you can assign additional users or groups.
When you assign a user to Harness, you must select a valid application-specific role (if available) in the Assignment dialog box. Users with the Default Access role are excluded from provisioning.
If you currently have a Harness App Integration setup in Microsoft Entra ID and are now trying to set up one for Harness, ensure that the user information is also included in the App Integration before you attempt to log into Harness through SSO.
Set up Harness for provisioning
You must generate a SCIM API token in Harness before you can configure provisioning in Microsoft Entra ID. This token allows Microsoft Entra ID to securely connect to the Harness SCIM endpoint and provision users.
Sign in to your Harness Admin Console, select your profile at the bottom left corner of the page, and go to Profile Overview.

Under My API Keys, select +API Key. The window to create an API key opens.

Specify a Name and select Save. Harness creates an API key for your account.

To create a token for your API key, select +Token under your newly created API key.
a. Provide a name and select Generate token.
b. Copy the token value to a safe location. You'll need this token to configure the connection in Microsoft Entra ID.
c. Select Close.

Add Harness from the gallery
You must add the Harness application from the Microsoft Entra application gallery before you can configure automatic user provisioning. This registers Harness as a managed SaaS application in your Microsoft Entra tenant.
Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
Browse to Entra ID > Enterprise apps.

To add a new application, select the New application button at the top of the pane.

In the search box, enter Harness, select Harness in the results list, and then select the Add button to add the application.

Configure automatic user provisioning to Harness
After you add Harness from the gallery and generate a SCIM token, you can configure the provisioning connection. This section walks through the steps to configure the Microsoft Entra provisioning service to create, update, and disable users or groups in Harness based on user or group assignments in Microsoft Entra ID.
Tip
You may also choose to enable SAML-based single sign-on for Harness by following the instructions in the Harness single sign-on article. You can configure single sign-on independent of automatic user provisioning, although these two features complement each other.
Note
To learn more about the Harness SCIM endpoint, see the Harness API Keys article.
To configure automatic user provisioning for Harness in Microsoft Entra ID, do the following:
Sign in to the Microsoft Entra admin center as at least a Cloud Application Administrator.
Browse to Entra ID > Enterprise apps.

In the applications list, select Harness.

Select the Provisioning tab.

Select + New configuration.

Under Admin Credentials, do the following:

In the Tenant URL box, enter
https://app.harness.io/gateway/api/scim/account/<your_harness_account_ID>. You can obtain your Harness account ID from the URL in your browser when you are logged into Harness.In the Secret Token box, enter the SCIM Authentication Token value that you saved in step 3 of the "Set up Harness for provisioning" section.
Select Test Connection to ensure that Microsoft Entra ID can connect to Harness. If the connection fails, ensure that your Harness account has Admin permissions, and then try again.

Select Create to create your configuration.
Select Properties in the Overview page.
Select the pencil to edit the properties. Enable notification emails and provide an email to receive quarantine emails. Enable accidental deletions prevention. Select Apply to save the changes.

Select Attribute Mapping in the left panel and select users.
Review the user attributes that are synchronized from Microsoft Entra ID to Harness in the Attribute Mapping section. The attributes selected as Matching properties are used to match the user accounts in Harness for update operations. Select the Save button to commit any changes.

Under Mappings, select Synchronize Microsoft Entra groups to Harness.
Review the group attributes that are synchronized from Microsoft Entra ID to Harness in the Attribute Mapping section. The attributes selected as Matching properties are used to match the groups in Harness for update operations. Select the Save button to commit any changes.

To configure scoping filters, refer to the following instructions provided in the Scoping filter article.
Use on-demand provisioning to validate sync with a small number of users before deploying more broadly in your organization.
When you are ready to provision, select Start Provisioning from the Overview page.
Monitor your deployment
After you start provisioning, monitor the provisioning logs to verify that users and groups sync correctly between Microsoft Entra ID and Harness.
Once you configure provisioning, use the following resources to monitor your deployment:
- Use the provisioning logs to determine which users are provisioned successfully or unsuccessfully
- Check the progress bar to see the status of the provisioning cycle and how close it's to completion
- If the provisioning configuration seems to be in an unhealthy state, the application goes into quarantine. Learn more about quarantine states the application provisioning quarantine status article.