I am currently setting up Single Sign-On (SSO) and user provisioning between Microsoft Entra ID (formerly Azure AD) and our Salesforce instance. One of our goals is to map the roles in Entra ID to profiles in Salesforce. I am using out-of-the-box Entra ID application for Salesforce instances. However, we have encountered a challenge: Salesforce only allows each user to have one profile, but users in Entra ID can have multiple roles. We want to implement Azure Privileged Identity Management (PIM) so that users can temporarily have elevated access. This means users might have an additional role in Entra ID without replacing their existing role.
I initially used the default value for the ProfileName attribute, which was set to SingleAppRoleAssignments(appRoleAssignments). However, when a user is assigned multiple roles, this setup fails, producing an error indicating that multiple roles cannot be mapped to the Salesforce profile field. I also tested using only the appRoleAssignments value, which generates a comma-separated list of Entra ID roles. In this case, Salesforce only assigns the first role from the list to the user's profile, ignoring the rest.
How can we effectively manage the mapping of multiple roles from Entra ID to Salesforce? Specifically, how can we ensure that the temporary roles granted via Azure PIM (which result in additional roles in Entra ID) do not conflict with the one-profile limitation in Salesforce? Has anyone successfully implemented a similar setup? If so, which Salesforce user fields or attributes did you map the multiple roles from Entra ID to?