You can configure user management through Azure Active Directory, provision groups and assign Tableau Cloud site roles.
While you complete the following steps, it will help to have the Microsoft documentation at hand. See the tutorial, Configure Tableau Cloud for automatic user provisioning(Link opens in a new window).
Note: If you have already enabled provisioning for your application and would like to update to use the Tableau SCIM 2.0 endpoint, see the Microsoft article Update a Tableau Cloud application(Link opens in a new window). If you are setting up provisioning for a new instance of the Tableau Cloud application, follow the steps below.
Enable SCIM support
Use the following steps to enable SCIM support with Azure Active Directory. See also Notes and limitations for SCIM support with Azure Active Directory.
The SCIM functionality requires that you configure your site to support SAML single sign-on. If you have not done this, complete the section Add Tableau Cloud to your Azure AD applications in Configure SAML with Azure Active Directory.
After adding Tableau Cloud from the Azure Marketplace, remain signed in to both the Azure portal and Tableau Cloud, with the following pages displayed:
- In Tableau Cloud, the Settings > Authentication page.
- In the Azure portal, the Tableau Cloud application > Provisioning page.
On the Authentication page in Tableau Cloud, under Automatic Provisioning and Group Synchronisation (SCIM), tick the Enable SCIM box.
This populates the Base URL and Secret boxes with values you will use in the IdP’s SCIM configuration.
Important: The secret token is displayed only immediately after it is generated. If you lose it before you can apply it to your IdP, you can select Generate New Secret. In addition, the secret token is tied to the Tableau Cloud user account of the site administrator who enables SCIM support. If that user’s site role changes or the user is removed from the site, the secret token becomes invalid and another site administrator must generate a new secret token and apply it to your IdP.
Copy the secret token value, and on the Provisioning page in your Azure portal, do the following:
For Provisioning Mode, select Automatic.
For Authentication Method, select Bearer Authentication.
For Secret Token, paste the Tableau Cloud SCIM secret token you copied earlier.
For Tenant URL, copy and paste the Base URL shown in the Tableau Cloud SCIM settings.
Click Test Connection to verify the credentials are working as expected, and then click Save.
In the Mappings section, verify that Provision Azure Active Directory Groups and Provision Azure Active Directory Users are enabled.
Select Provision Azure Active Directory Groups, and on the Attribute Mappings page, review the attributes synchronised from Azure to Tableau Cloud. To save any changes, click Save.
Select Provision Azure Active Directory Users, and on the Attribute Mapping page, review the attributes synchronised from Azure to Tableau Cloud. To save any changes, click Save.
Assign users and groups to the Tableau Cloud application
Use the following steps to assign individual users and groups to the Tableau Cloud application in Azure.
From the application page, select Enterprise Apps > Users and groups.
Click Add user/group.
On the Add Assignment page, select a user or group and assign one of the following site roles: Creator, SiteAdministratorCreator, Explorer, SiteAdministratorExplorer, ExplorerCanPublish, Viewer or Unlicensed.
You will receive an error if you select a role that is not in the above list. For more information about site roles, see Set Users’ Site Roles.
Create groups for site roles
A user can be a member of multiple groups in Azure, but they will only receive the most permissive site role in Tableau Cloud. For example, if a user is a member of two groups with site roles Viewer and Creator, Tableau will assign the Creator site role.
To keep track of role assignments, we recommend creating role-specific groups in Azure, such as “Tableau - Creator”, “Tableau - Explorer”, etc. You can then use the groups to quickly provision new users for the correct role in Tableau Cloud.
Site roles are listed below in order from most permissive to least permissive:
Site Administrator Creator
Site Administrator Explorer
Explorer (Can Publish)
Note: Users and their attributes should be managed through Azure. Changes made within Tableau Cloud directly may result in unexpected behaviour and overwritten values.
Provision users and groups
After you have enabled SCIM support and assigned users and groups to the Tableau Cloud application in Azure, the next step is to provision users to your Tableau site.
On the Provisioning page, expand the Settings section and define the users or groups you want to provision to Tableau Cloud in Scope.
Note: The Azure AD setting "Sync all users and groups" is not supported with Tableau Cloud.
Toggle Provisioning Status to On.
Saving starts the initial synchronisation of the users or groups defined in Scope. Synchronisation occurs approximately every 40 minutes as long as the Azure AD provisioning service runs. To manually provision users outside of the schedule, select Provision on demand. For more information about on-demand provisioning, see the Microsoft article On-demand provisioning in Azure Active Directory(Link opens in a new window).
After provisioning is complete, you should see the users or groups from Azure AD on the Site Users page in Tableau Cloud.
Change user authentication in Tableau Cloud
Provisioned users are assigned the SAML authentication type by default. To change the authentication type for users, use the steps below.
In Tableau Cloud, select Users.
On the Site Users page, tick the boxes next to the users to whom you want to assign an authentication type.
On the Actions menu, select Authentication.
In the Authentication dialog, select the preferred authentication type for the user.
For more information about the different authentication types in Tableau Cloud, see Authentication.
Notes and limitations for SCIM support with Azure Active Directory
You must add a separate Tableau Cloud app for each site you want to manage using SCIM.
Use of SCIM with Grant Licence on Sign-in is unsupported and may result in incorrectly provisioned site roles for users or groups.