Is it possible to assign a custom SCIM attribute (e.g. Snowflake default_role) based on Entra group membership?

Lynne Caputi 55 Reputation points
2024-12-15T16:58:05.2966667+00:00

I have created 2 groups in Entra and associated them both to the enterprise app for Snowflake SCIM provisioning. If a user belongs to GroupA, I'd like them to be assigned the "Developer" role in Snowflake; members of GroupB should be assigned to the "Finance" role. Is there any chance it is as easy as an expression in the User attribute mapping?

Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,898 questions
0 comments No comments
{count} votes

Accepted answer
  1. James Hamil 26,881 Reputation points Microsoft Employee
    2024-12-16T22:27:23.1566667+00:00

    Hi @Lynne Caputi , yes, you can use dynamic groups in Entra ID to assign users to groups based on their properties, and then use entitlement management to assign roles to those groups.

    You can create two dynamic groups in Entra ID, one for GroupA and one for GroupB, and configure the group rules to match the properties of the users you want to include in each group. Then, you can use entitlement management to assign the "Developer" role to GroupA and the "Finance" role to GroupB.

    For the user attribute mapping, it depends on the specific requirements of your Snowflake SCIM provisioning configuration. If you need to map a custom attribute to a specific value based on the user's group membership, you can use an expression in the attribute mapping to achieve this but the exact expression will depend on the specific requirements of your configuration.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.