Configure SCIM with Microsoft Entra ID
You can configure user management through Microsoft Entra ID (also known as Azure Active Directory (AD)), provision groups, and assign Tableau Cloud site roles.
While you complete the following steps, it will help to have the Entra ID documentation at hand. See the tutorial, Configure Tableau Cloud for automatic user provisioning(Link opens in a new window).
Note: If you have already enabled provisioning for your application and would like to update to use the Tableau SCIM 2.0 endpoint, see the Microsoft article Update a Tableau Cloud application(Link opens in a new window). If you are setting up provisioning for a new instance of the Tableau Cloud application, follow the steps below.
Step 1: Perform prerequisites
The SCIM functionality requires that you configure your site to support SAML single sign-on (SSO).
-
Complete the section "Add Tableau Cloud to your Microsoft Entra ID applications" in Configure SAML with Microsoft Entra ID.
-
After adding Tableau Cloud from the Azure Marketplace, remain signed in to both the Entra portal and Tableau Cloud, with the following pages displayed:
- In Tableau Cloud, the Settings > Authentication page.
- In the Entra portal, the Tableau Cloud application > Provisioning page.
Step 2: Enable SCIM support
Use the following steps to enable SCIM support with Microsoft Entra ID. See also Notes and limitations for SCIM support with Azure Active Directory section below.
Note: For the steps in the Entra portal, make sure you're using Tableau Cloud app from the gallery.
-
Sign in to your Tableau Cloud site as a site administrator, and select Settings > Authentication.
-
Do the following:
-
On the Authentication page, under Automatic Provisioning and Group Synchronization (SCIM), select the Enable SCIM check box.
This populates the Base URL and Secret boxes with values you will use in the IdP’s SCIM configuration.
Important: The secret token is displayed only immediately after it is generated. If you lose it before you can apply it to your IdP, you can select Generate New Secret. In addition, the secret token is tied to the Tableau Cloud user account of the site administrator who enables SCIM support. If that user’s site role changes or the user is removed from the site, the secret token becomes invalid, and another site administrator must generate a new secret token and apply it to your IdP.
-
-
Copy the secret token value, and on the Provisioning page in your Entra portal, do the following:
-
For Provisioning Mode, select Automatic.
-
For Authentication Method, select Bearer Authentication.
-
For Tenant URL, copy and paste the Base URL shown in the Tableau Cloud SCIM settings.
-
For Secret Token, paste the Tableau Cloud SCIM secret token you copied earlier.
-
-
Click the Test Connection button to verify the credentials are working as expected, and then click Save.
-
In the Mappings section, verify that Provision Microsoft Entra ID Groups and Provision Microsoft Entra ID Users are enabled.
-
Select Provision Microsoft Entra ID Groups, and on the Attribute Mappings page, review the attributes synchronized from Entra ID to Tableau Cloud. To save any changes, click Save.
-
Select Provision Microsoft Entra ID Users, and on the Attribute Mapping page, review the attributes synchronized from Entra ID to Tableau Cloud. To save any changes, click Save.
Step 3: Assign groups to the Tableau Cloud app
Use the following steps to assign groups to the Tableau Cloud gallery app in Microsoft Entra ID.
-
From the application page, select Enterprise Apps > Users and groups.
-
Click Add user/group.
-
On the Add Assignment page, select a group and assign one of the following site roles:
-
Creator
-
SiteAdministratorCreator
-
Explorer
-
SiteAdministratorExplorer
-
ExplorerCanPublish
-
Viewer
-
Unlicensed
-
-
Click Assign.
Note: You'll receive an error if you select a role that is not in the above list. For more information about site roles, see Set Users’ Site Roles.
Create groups for site roles
A user can be a member of multiple groups in Entra ID , but they will only receive the most permissive site role in Tableau Cloud. For example, if a user is a member of two groups with site roles Viewer and Creator, Tableau will assign the Creator site role.
To keep track of role assignments, we recommend creating role-specific groups in Entra ID, such as “Tableau - Creator”, “Tableau - Explorer”, etc. You can then use the groups to quickly provision new users for the correct role in Tableau Cloud.
Site roles are listed below in order from most permissive to least permissive:
-
Site Administrator Creator
-
Site Administrator Explorer
-
Creator
-
Explorer (Can Publish)
-
Explorer
-
Viewer
Note: Users and their attributes should be managed through Entra ID. Changes made within Tableau Cloud directly may result in unexpected behavior and overwritten values.
Step 4: Provision groups
After you have enabled SCIM support and assigned groups to the Tableau Cloud application in Entra ID, the next step is to provision users to your Tableau Cloud site.
-
On the Provisioning page, expand the Settings section, and define the groups you want to provision to Tableau Cloud in Scope.
Note: The Entra ID setting "Sync all users and groups" is not supported with Tableau Cloud.
-
Toggle Provisioning Status to On.
-
Click Save.
Saving starts the initial synchronization of the groups defined in Scope. Synchronization occurs approximately every 40 minutes as long as the Entra ID provisioning service runs. To manually provision users outside of the schedule, select Provision on demand. For more information about on demand provisioning, see the Microsoft article On-demand provisioning in Microsoft Entra ID(Link opens in a new window).
After provisioning is complete, you should see the groups from Entra ID on the Site Users page in Tableau Cloud.
Change user authentication in Tableau Cloud
Provisioned users are assigned the SAML authentication type by default. To change the authentication type for users, use the steps below.
-
In Tableau Cloud, select Users.
-
On the Site Users page, select the check boxes next to the users you want to assign an authentication type.
-
On the Actions menu, select Authentication.
-
In the Authentication dialog, select the preferred authentication type for the user.
For more information about the different authentication types in Tableau Cloud, see Authentication.
SCIM and grant license on sign in
Beginning in February 2024 (Tableau 2023.3), you can use SCIM with Grant License on Sign In (GLSI) with Microsoft Entra ID.
Using SCIM with GLSI for Entra ID requires the following:
-
In Entra ID, adding users to the group in the Tableau Cloud app.
-
In Tableau Cloud, enabling the GLSI option for the group and selecting the minimum site role for the users who are members of the group.
Note: It’s not possible to set a group with the GLSI attribute in Entra ID.
-
Users to be provisioned as Unlicensed in Entra ID.
Enable GLSI
To enable GLSI in Tableau Cloud, see Grant License on Sign In.
Remove SCIM users with GLSI
You must remove SCIM users from their GLSI-enabled groups in Microsoft Entra ID before attempting to delete them from Microsoft Entra ID. When SCIM users are removed from all of their GLSI-enabled groups, the users are converted to the "Unlicensed" role in Tableau Cloud.
-
In Entra ID, deprovision the user from the GLSI-enabled group in the Tableau Cloud app. Deprovisioning a user in Entra ID only causes the user to be converted to “Unlicensed” in Tableau Cloud and does not delete the user.
Notes:
-
If the user is no longer a member of any additional Tableau Cloud app groups in Entra ID, or if the user is individually assigned to the Tableau Cloud app, the user is converted to “Unlicensed” in Tableau Cloud.
-
If you want to delete the SCIM user in Tableau Cloud (see Delete SCIM users, below), you manually delete the user from Tableau Cloud.
-
Remove the user from the groups with GLSI enabled.
-
Remove the SCIM user from the site.
If you encounter issues, see the Error "User role was not updated to: Unlicensed (errorCode=10079)" When Attempting to Deprovision Users via SCIM(Link opens in a new window) knowledge article.
About Tableau Cloud's "All Users" group
If you’ve enabled the default “All Users” group with GLSI, you can’t deprovision the users in Entra ID and therefore unable to unlicense any of the users that belong to the GLSI-enabled group in Tableau Cloud. To remove a SCIM user in the GLSI-enabled “All Users” group, you must manually delete the user from Tableau Cloud.
Note: If users have content associated with them, you’ll need to reassign content ownership to other users before you can delete the users.
Delete SCIM users
Deleting SCIM users in Entra ID will only convert them to the "Unlicensed" role and will not delete them in Tableau Cloud. If you want to delete users, you must manually delete the users in Tableau Cloud.
For more information about deleting users, see "Remove users from a site" in the View, Manage, or Remove Users topic.
Note: If users have content associated with them, you’ll need to reassign content ownership to other users before you can delete the users.
Notes for SCIM support with Microsoft Entra ID
-
You must add a separate Tableau Cloud app for each site you want to manage using SCIM.
-
When deprovisioning a user in the Tableau Cloud application in Azure AD or if a user is deleted from Azure AD entirely, the user is converted to an Unlicensed site role in Tableau Cloud. If the user owns any content, you must first reassign ownership of those content assets before you can manually delete the user in Tableau Cloud.
-
Beginning in February 2024 (Tableau 2023.3), the use of SCIM with Grant License on Sign In (GLSI) is supported. For more information, see SCIM and grant license on sign in above.