Skip to main content

Configure Alteryx Server for SCIM with Microsoft Entra ID

This document provides instructions for administrators who want to integrate Alteryx Server with Microsoft Entra ID using System for Cross-domain Identity Management (SCIM). Use this guide to learn how to enable SCIM in Server, configure Microsoft Entra ID to connect to Server for SCIM provisioning, and provision users and groups in Microsoft Entra ID. With this integration, you can streamline user and group management, ensuring a synchronized and hassle-free experience between Alteryx Server and Microsoft Entra ID.

Note

This configuration requires Microsoft Entra ID to be able to communicate with the Alteryx Server over an HTTPS (SSL/TLS) connection. Please check with your network and security teams to ensure network, firewall, and routing are appropriately configured to allow this communication. To support this communication, TLS must be enabled for Alteryx Server. For more information on TLS, use Configure Server SSL/TLS.

Enable SCIM Support

  1. SCIM requires that Alteryx Server is configured to support SAML single sign-on.

    For a new environment, follow the steps outlined in Configure Alteryx Server Authentication to set up SAML.

  2. Sign in to Alteryx Server as a Curator (Server admin) and navigate to Admin > Settings > Configuration > SCIM.

  3. Select Edit.

  4. Turn on the switch to enable SCIM.

  5. Select the Token Lifetime based on your needs. Please consult your company's security team for guidance.

  6. Select Save.

  7. Make note of the Base URI and Token as you will need these to configure the connection in Microsoft Entra ID.

Alteryx Server SCIM Configuration Example

Configure Microsoft Entra ID

  1. Sign in to Microsoft Entra ID.

  2. If you do not already have an Application created for Alteryx Server, select Enterprise applications.

    1. Select +New application.

    2. Select +Create your own application.

    3. In the right-hand panel, enter a name for the application, such as “Alteryx Server”.

    4. Select Integrate any other application you don’t find in the gallery (Non-gallery).

    5. Select Create.

    6. Once the app is created, select Single sign-on and configure the app for SAML. Use Configuring SAML 2.0 on Alteryx Server for Azure AD for details.

  3. Once you have an application created for Alteryx Server, navigate to that application.

  4. Select Provisioning.

    1. Select Automatic for the Provisioning Mode.

    2. For Tenant URL, enter the Base URI you noted in the Enable SCIM Support section (for example, https://host.domain.tld/webapi/scim/v2).

    3. For Secret Token, enter the Token you noted in the Enable SCIM Support section.

    4. Select Test Connection to confirm Microsoft Entra ID can connect to Alteryx Server.

      1. If the connection test fails:

        Note

        While SAML sign in might work by default as this involves internal to public communication from a user, this does not mean that your Microsoft Entra ID instance has direct line-of-site to your Alteryx Server instance (which requires successful communication from Microsoft Entra ID’s public cloud to a private network) required for SCIM to function properly.

        If you get the error "An error occurred while sending the request.", please review the below options to ensure proper communication between these systems.

        • Ensure you have entered the correct URL and Token.

        • Consult your network and security teams to ensure network connectivity between Alteryx Server and Microsoft Entra ID is allowed.

        • If you cannot allow Microsoft Entra ID to connect directly to Alteryx Server, you might be able to use the Microsoft Entra ID's provisioning agent instead of this configuration. Please consult with your Microsoft Entra ID administrator and Microsoft Entra on-premises application provisioning to SCIM-enabled apps for details.

          Azure Provisioning Configuration Example

Provisioning Users and Groups

  1. Log in to Microsoft Entra ID.

  2. Navigate to the application you created for Alteryx Server in the Configure Microsoft Entra ID section.

  3. Select Users and Groups.

    Azure Users and groups
  4. Select +Add user/group.

  5. In the right-hand panel, use search to find and select the users and groups you want to add.

  6. The selected users and groups appear in the lower section of the panel.

    Azure User Search Panel
  7. To finalize your selection, choose the Select button at the bottom of the panel.

  8. This returns you to the Users and Groups page with a list of the users and groups associated with the application.

  9. Select Provisioning.

  10. Select Start provisioning to enable provisioning. This starts the incremental provisioning cycle with which Microsoft Entra ID synchronizes users and groups with Alteryx Server. Any changes to users or groups in Microsoft Entra ID are reflected in Server when this sync completes. Microsoft Entra ID can take up to 40 minutes to synchronize changes.

    The provisioning process in Alteryx Server produces the following outcomes based on the users and groups assigned to your SCIM app:

    • Users: Created with the Default role.

    • Alteryx Custom Groups: Created for each Active Directory group, with the Default role assigned.

    • User Assignments: Users are added to their respective Custom Group(s) based on their Active Directory group membership.

    Azure Provisioning Configuration

Confirm Successful Synchronization

  1. Wait at least 40 minutes to ensure Microsoft Entra ID goes through a provisioning cycle.

  2. Sign in to Alteryx Server as a Curator (Server admin).

  3. Navigate to Admin > Users.

  4. Confirm that the users and groups provisioned in Microsoft Entra ID have been successfully created or updated in Server.