Skip to main content

Provision with Microsoft Entra ID

This article describes how to provision users in Sumo Logic with Microsoft Entra ID (formerly Azure Active Directory).

Prerequisites

Create an access key

Create an access key. (We recommend using a service account to create the access key.) This access key will provide authorization to provision users from Microsoft Entra ID into Sumo Logic.

When you create the access key, copy its access ID and access key values. You will enter these when you use Base64 encoding to Base64 encode <access ID>:<access key> to generate a token.

Configure provisioning with Microsoft Entra ID

Step 1: Create the app

  1. Log in to Microsoft Azure as an administrator.
  2. Navigate to Microsoft Entra ID. (You can use the search bar to locate it.)
  3. Navigate to Manage > Enterprise Applications.
  4. Click New application.
    Create new application
  5. Click Create your own application.
    Create your own application
  6. Enter a name for the app, select Integrate any other application you don't find in the gallery (Non-gallery).
    Name your application
  7. Click Create. The app displays in Entra ID.
    App in Entra ID

Step 2: Set up single sign-on

Follow the directions in Configure Sumo as an Enterprise App in Azure AD beginning with the step where you select Set up single sign on.

Set up single sign on

When you configure SAML in Sumo Logic:

  • Select Disable Requested Authentication Context.
  • Do not select the On Demand Provisioning checkbox. You will set up provisioning later.

Step 3: Add roles

Create roles that the users will have in Sumo Logic (for example, Analyst and Administrator).

  1. In the app, select Manage > Users and groups.
  2. Select application registration.
    Add users
  3. Click Create app role.
    Create app role
  4. Create the role:
    1. In Display name, enter the name to be displayed in the UI (for example, Analyst).
    2. For Allowed member types select Both.
    3. For Value enter the value of the role in Sumo Logic (for example, Analyst).
    4. For Description enter a description of the role.
    5. Click Apply.
      Create app role dialog

Step 4: Assign users to the app

  1. In the app, select Manage > Users and groups.
  2. Select Add user/group.
    Add users
  3. Under Users, click None Selected.
    Add Assignment
  4. From the list of available users, select users to add to the app and click Select.
  5. Under Select a role click None Selected.
  6. From the list of available roles, select a role (for example, Analyst).
  7. Click Assign.

Step 5: Set up provisioning

  1. In the app select Manage > Provisioning.
    Connect your application
  2. For Provisioning Mode, select Automatic.
  3. Enter Admin Credentials:
    1. In Tenant URL, enter the API endpoint for your deployment for the SCIM User Management APIs using the format <api-endpoint>/v1/scim/. For example, https://api.sumologic.com/api/v1/scim/.
    2. For Secret Token, use Base64 encoding to encode <access ID>:<access key> (see Prerequisites). Enter the resulting value into the Secret Token field.
    3. Click Test Connection. If successful, a message like this appears: Testing connection to <app name>. The supplied credentials are authorized to enable provisioning.
  4. Set up mappings:
    1. Select Mappings and Provision Microsoft Entra Users.
      Provision mappings
    2. At the bottom of the Attribute Mapping dialog, select Add New Mapping.
    3. Fill out the Edit Attribute dialog:
      1. For Mapping type select Expression.
      2. For Expression enter AppRoleAssignments([appRoleAssignments]).
      3. For Target attribute select roles[primary eq "True"].value.
      4. Click OK.
        Edit attribute
    4. On the Attribute Mapping dialog, delete all the attributes except:
      • userName
      • active
      • emails[type eq "work"].value
      • name.givenName
      • name.familyName
      • roles[primary eq "True"].value
    5. Click Save.
      Attribute mappings
  5. Click the Home > <app name> | Provisioning link in the top left corner of the screen. This returns you to the Provisioning tab.
  6. Test provisioning:
    1. In the app, select Manage > Provisioning.
    2. For Provisioning Status select On to enable provisioning.
    3. Click Save.
      Provisioning status
    4. Select Overview.
    5. Select Provision on demand.
      Provision on demand
    6. Users assigned the app will be provisioned into Sumo Logic.

As long as the app's provisioning status is on, the app runs auto provisioning every 40 minutes.

Step 6: Verify provisioning

Users assigned to the app are provisioned into Sumo Logic.

  1. Verify in Microsoft Entra ID:
    1. In the app, select Provisioning and then select the Monitoring tab.
    2. The tab should show provisioning status. Click View Provisioning Logs for details.
  2. Verify in Sumo Logic:
    1. Log in to the Sumo Logic instance that you linked to the provisioning app in Step 2 when you provided the Assertion Consumer URL and entity ID.
    2. Classic UI. In the main Sumo Logic menu, select Administration > Users and Roles > Users.
      New UI. In the top menu select Administration, and then under Users and Roles select Users. You can also click the Go To... menu at the top of the screen and select Users.
    3. Search for the users provisioned from Microsoft Entra ID.
    4. You should see the users listed, and with the role given to them when you assigned them to the app in Microsoft Entra ID.

Syncing between Microsoft Entra ID and Sumo Logic

When you modify the name, email, or role of a user assigned the app in Microsoft Entra ID, the changes will be synced to the corresponding user in Sumo Logic.

If you unassign a user from the app in Microsoft Entra ID, the corresponding user is deactivated in Sumo Logic. (If you later try to reassign that same user to the app, it will result in an error in Sumo Logic. You must delete the old user from Sumo Logic first so that the user can be provisioned once again from Microsoft Entra ID.)

Status
Legal
Privacy Statement
Terms of Use

Copyright © 2025 by Sumo Logic, Inc.