RBAC doesnt work for Box application

Question

We have integrated Box application with Entra ID and enabled SSO and Automated User Provisioning. In Box application, there are two roles "Member & Co-Admin" Users from Box Admin should get Co-Admin role in Box application upon SSO and Users from Box-Member should get member role upon SSO. On clicking on-demand after user assignment, users from both groups have member role at Box application. Please help us to fix this issue at earliest

Answer 1

Hello @Bhuvana Bala

You have integrated Box with Microsoft Entra ID and enabled SSO and automated user provisioning. You want users in the "Box Admin" group to be assigned the "Co-Admin" role in Box, and users in the "Box Member" group to be assigned the "Member" role. However, after assigning users and triggering provisioning, all users are ending up with the "Member" role in Box, regardless of their group membership.

1. Review and Configure Role Attribute Mappings

Go to the Microsoft Entra admin center.

Navigate to Enterprise Applications > Box > Provisioning > Attribute Mapping.

Check the mapping for the Box role attribute (often called roles or similar).

Ensure that the mapping uses an expression to transform Entra app role assignments (or group membership) into the correct Box roles.

2. Use Expressions for Role Mapping

You must use an expression to map Entra app role assignments to the Box roles, as direct mapping does not work.

For example, use the SingleAppRoleAssignment expression to map users in the "Box Admin" group to the "Co-Admin" role and users in the "Box Member" group to the "Member" role.

Example Expression (Pseudocode):

text

IIF(SingleAppRoleAssignment().displayName == "Box Admin", "Co-Admin", "Member")

Adjust the actual expression based on your group or role names and the attribute names in your environment.

3. Assign Users/Groups with Correct Roles

In Entra ID, assign users or groups to the Box application and specify the intended application role (Member or Co-Admin) for each assignment.

4. Reprovision Users

After updating the mapping, trigger a reprovisioning (on-demand or wait for the next sync) to ensure users receive the correct roles in Box.

Reference: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes

Answer 2

Hello Bhuvana Bala,

Thank you for your question. This issue is likely due to missing or incorrect attribute mappings in the provisioning configuration. By default, Microsoft Entra ID does not automatically map Entra group membership to Box roles unless explicitly configured.

Here are my recommended Solution:

1. Customize Attribute Mappings in Entra ID

You need to configure custom attribute mappings so that users in specific Entra groups are provisioned with the correct Box role.

• Go to Microsoft Entra admin center > Enterprise Applications > Box > Provisioning > Mappings
• Edit the user attribute mappings
• Use an expression to map Entra group membership to the role attribute in Box

Guiding information: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes

2. Verify Role Names Match Box API

Ensure that the role values you assign (e.g., "Co-Admin", "Member") match exactly what Box expects via its SCIM API.

3. Test with On-Demand Provisioning

After updating the mappings:

• Use the “Provision on demand” feature in Entra to test a user.
• Confirm that the correct role is assigned in Box.

If I have answered your question, please accept this as answer as a token of appreciation and don't forget to thumbs up for "Was it helpful"!

Best regards,