You will need:
The following provisioning features are supported:
You'll grant access to your hosts via Active Directory Groups. If you don't already have groups set up, you'll want to create a group for each kind of user access to your servers. For example, you might have a group for
ssh users, and one for
In the Azure portal, start at the Groups blade.
When creating your groups, give them names and accept the defaults on all other settings.
In the Smallstep SSH dashboard, under the Users tab, choose Azure.
Paste your Tenant ID from the Active Directory Overview blade into the "Add Your Team" dialog:
Back in the Azure portal, go to the Enterprise Applications blade.
Choose + New application.
Add a Non-Gallery Application.
smallstep-usersync or some other name you'll remember.
Choose Next on the bottom left.
In your new application, under Users and Groups on the left:
Your Users and Groups list should now look something like this:
Smallstep needs to see the right attributes when you sync your directory with us.
Item(Split([userPrincipalName], "@"), 1)
Your mappings should look like this when you're finished:
🤦♂️ There's a quirk in Microsoft's UI here, and you may see an error when saving after turning provisioning on. If so, wait 60 seconds and try Save again.
Sign in at
Navigate to the LOGS menu. You should see a list of success messages assocated with
SCIM-SYNC catagory items.
Navigate to the USERS menu. If the onboarding dialog is open, press
Esc to close.
You should see your Users and Groups synced over from Azure AD.
Don't see your users and groups? Microsoft's SCIM service may add a 40-minute delay after you set it up. You can force an update by checking ✅Clear current state and restart synchronization in the Provisioning panel, and choosing Save. Even then, it may take a minute to sync with Smallstep.