Tutorial: Configure Snowflake for automatic user provisioning

This tutorial demonstrates the steps that you perform in Snowflake and Azure Active Directory (Azure AD) to configure Azure AD to automatically provision and deprovision users and groups to Snowflake. For important details on what this service does, how it works, and frequently asked questions, see What is automated SaaS app user provisioning in Azure AD?.

Note

This connector is currently in public preview. For information about terms of use, see Supplemental Terms of Use for Microsoft Azure Previews.

Capabilities supported

  • Create users in Snowflake
  • Remove users in Snowflake when they don't require access anymore
  • Keep user attributes synchronized between Azure AD and Snowflake
  • Provision groups and group memberships in Snowflake
  • Allow single sign-on to Snowflake (recommended)

Prerequisites

The scenario outlined in this tutorial assumes that you already have the following prerequisites:

  • An Azure AD tenant
  • A user account in Azure AD with permission to configure provisioning (Application Administrator, Cloud Application Administrator, Application Owner, or Global Administrator)
  • A Snowflake tenant
  • At least one user in Snowflake with the ACCOUNTADMIN role.

Step 1: Plan your provisioning deployment

  1. Learn about how the provisioning service works.
  2. Determine who will be in scope for provisioning.
  3. Determine what data to map between Azure AD and Snowflake.

Step 2: Configure Snowflake to support provisioning with Azure AD

Before you configure Snowflake for automatic user provisioning with Azure AD, you need to enable System for Cross-domain Identity Management (SCIM) provisioning on Snowflake.

  1. Sign in to Snowflake as an administrator and execute the following from either the Snowflake worksheet interface or SnowSQL.

    use role accountadmin;
    
     create role if not exists aad_provisioner;
     grant create user on account to role aad_provisioner;
     grant create role on account to role aad_provisioner;
    grant role aad_provisioner to role accountadmin;
     create or replace security integration aad_provisioning
         type = scim
         scim_client = 'azure'
         run_as_role = 'AAD_PROVISIONER';
     select system$generate_scim_access_token('AAD_PROVISIONING');
    
  2. Use the ACCOUNTADMIN role.

    Screenshot of a worksheet in the Snowflake UI with the SCIM access token called out.

  3. Create the custom role AAD_PROVISIONER. All users and roles in Snowflake created by Azure AD will be owned by the scoped down AAD_PROVISIONER role.

    Screenshot showing the custom role.

  4. Let the ACCOUNTADMIN role create the security integration using the AAD_PROVISIONER custom role.

    Screenshot showing the security integrations.

  5. Create and copy the authorization token to the clipboard and store securely for later use. Use this token for each SCIM REST API request and place it in the request header. The access token expires after six months and a new access token can be generated with this statement.

    Screenshot showing the token generation.

Add Snowflake from the Azure AD application gallery to start managing provisioning to Snowflake. If you previously set up Snowflake for single sign-on (SSO), you can use the same application. However, we recommend that you create a separate app when you're initially testing the integration. Learn more about adding an application from the gallery.

Step 4: Define who will be in scope for provisioning

The Azure AD provisioning service allows you to scope who will be provisioned based on assignment to the application, or based on attributes of the user or group. If you choose to scope who will be provisioned to your app based on assignment, you can use the steps to assign users and groups to the application. If you choose to scope who will be provisioned based solely on attributes of the user or group, you can use a scoping filter.

Keep these tips in mind:

  • When you're assigning users and groups to Snowflake, you must select a role other than Default Access. Users with the Default Access role are excluded from provisioning and will be marked as not effectively entitled in the provisioning logs. If the only role available on the application is the Default Access role, you can update the application manifest to add more roles.

  • If you need additional roles, you can update the application manifest to add new roles.

Step 5: Configure automatic user provisioning to Snowflake

This section guides you through the steps to configure the Azure AD provisioning service to create, update, and disable users and groups in Snowflake. You can base the configuration on user and group assignments in Azure AD.

To configure automatic user provisioning for Snowflake in Azure AD:

  1. Sign in to the Azure portal. Select Enterprise applications > All applications.

    Screenshot that shows the Enterprise applications pane.

  2. In the list of applications, select Snowflake.

    Screenshot that shows a list of applications.

  3. Select the Provisioning tab.

    Screenshot of the Manage options with the Provisioning option called out.

  4. Set Provisioning Mode to Automatic.

    Screenshot of the Provisioning Mode drop-down list with the Automatic option called out.

  5. In the Admin Credentials section, enter the SCIM 2.0 base URL and authentication token that you retrieved earlier in the Tenant URL and Secret Token boxes, respectively.

    Note

    The Snowflake SCIM endpoint consists of the Snowflake account URL appended with /scim/v2/. For example, if your Snowflake account name is acme and your Snowflake account is in the east-us-2 Azure region, the Tenant URL value is https://acme.east-us-2.azure.snowflakecomputing.com/scim/v2.

    Select Test Connection to ensure that Azure AD can connect to Snowflake. If the connection fails, ensure that your Snowflake account has admin permissions and try again.

    Screenshot that shows boxes for tenant URL and secret token, along with the Test Connection button.

  6. In the Notification Email box, enter the email address of a person or group who should receive the provisioning error notifications. Then select the Send an email notification when a failure occurs check box.

    Screenshot that shows boxes for notification email.

  7. Select Save.

  8. In the Mappings section, select Synchronize Azure Active Directory Users to Snowflake.

  9. Review the user attributes that are synchronized from Azure AD to Snowflake in the Attribute Mapping section. The attributes selected as Matching properties are used to match the user accounts in Snowflake for update operations. Select the Save button to commit any changes.

    Attribute Type
    active Boolean
    displayName String
    emails[type eq "work"].value String
    userName String
    name.givenName String
    name.familyName String
    externalId String

    Note

    Snowflake supported custom extension user attributes during SCIM provisioning:

    • DEFAULT_ROLE
    • DEFAULT_WAREHOUSE
    • DEFAULT_SECONDARY_ROLES
    • SNOWFLAKE NAME AND LOGIN_NAME FIELDS TO BE DIFFERENT

    How to set up Snowflake custom extension attributes in Azure AD SCIM user provisioning is explained here.

  10. In the Mappings section, select Synchronize Azure Active Directory Groups to Snowflake.

  11. Review the group attributes that are synchronized from Azure AD to Snowflake in the Attribute Mapping section. The attributes selected as Matching properties are used to match the groups in Snowflake for update operations. Select the Save button to commit any changes.

    Attribute Type
    displayName String
    members Reference
  12. To configure scoping filters, see the instructions in the Scoping filter tutorial.

  13. To enable the Azure AD provisioning service for Snowflake, change Provisioning Status to On in the Settings section.

    Screenshot that shows Provisioning Status switched on.

  14. Define the users and groups that you want to provision to Snowflake by choosing the desired values in Scope in the Settings section.

    If this option is not available, configure the required fields under Admin Credentials, select Save, and refresh the page.

    Screenshot that shows choices for provisioning scope.

  15. When you're ready to provision, select Save.

    Screenshot of the button for saving a provisioning configuration.

This operation starts the initial synchronization of all users and groups defined in Scope in the Settings section. The initial sync takes longer to perform than subsequent syncs. Subsequent syncs occur about every 40 minutes, as long as the Azure AD provisioning service is running.

Step 6: Monitor your deployment

After you've configured provisioning, use the following resources to monitor your deployment:

  • Use the provisioning logs to determine which users have been provisioned successfully or unsuccessfully.
  • Check the progress bar to see the status of the provisioning cycle and how close it is to completion.
  • If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states.

Connector limitations

Snowflake-generated SCIM tokens expire in 6 months. Be aware that you need to refresh these tokens before they expire, to allow the provisioning syncs to continue working.

Troubleshooting tips

The Azure AD provisioning service currently operates under particular IP ranges. If necessary, you can restrict other IP ranges and add these particular IP ranges to the allowlist of your application. That technique will allow traffic flow from the Azure AD provisioning service to your application.

Change log

  • 07/21/2020: Enabled soft-delete for all users (via the active attribute).
  • 10/12/2022: Updated Snowflake SCIM Configuration.

Additional resources

Next steps