Viewing externally managed users and groups

To view externally managed users provisioned using the SCIM API:

  1. Sign in as a local Administrator.

  2. On the header, select Administration.

  3. On the navigation pane, expand Users, and then select Local Users.

  4. At the top of the Local Users page, from the User type list, select SSO.

    Application Security lists the users provisioned using the SCIM API. The Externally managed user symbol is displayed next to each user name listed in the Local Users table.

To see the groups pushed from Entra ID:

  1. Sign in to Application Security as a local Administrator.

  2. In the header, select Administration.

  3. On the navigation pane, expand Users, and then select Local Groups.

Assigning roles to externally managed users and groups

A user or member of a local group provisioned from an identity management service such as Entra ID cannot access Application Security unless the group has been assigned one or more roles, or the user is assigned a role individually from the Local Users page.

From Application Security, the only changes you can make to externally-managed user and group accounts are role and application version assignments. You must perform all other configuration (and deletion) from Entra ID.

Assign roles to externally managed users and groups just as you would for local users created through the Administration view.

See Also

Implementation of SCIM 2.0 protocol

Enabling SCIM for provisioning of externally managed users and groups

Using SCIM 2.0 and SAML 2.0 to configure a connection to Microsoft Entra ID for user provisioning

Configuring Application Security to work with SAML 2.0-compliant single sign-on