You will need:
The following provisioning features are supported:
You'll grant access to your hosts via Active Directory Groups. If you don't already have groups set up, you'll want to create a group for each kind of user access to your servers. For example, you might have a group for
ssh users, and one for
In the Azure portal, start at the Groups blade.
When creating your groups, give them names and accept the defaults on all other settings.
In the Smallstep SSH dashboard, under the Users tab, choose Azure.
Paste your Tenant ID from the Active Directory Overview blade into the "Add Your Team" dialog:
Sign in to Smallstep at
Follow the Getting Started workflow.
Choose the Users tab, and choose Azure AD as your identity provider.
Enter your Tenant ID and Whitelisted Domains, and Save.
step ssh login your@email.
Your browser will open to an Azure AD single sign-on flow,
and you'll be prompted to add the Smallstep SSH enterprise application to your tenant.
Choose Consent on behalf of your organization.
Accept the application for your tenant, and finish the sign-on flow.
🤦♂️ If you encounter "The username may be incorrect", you'll need to use a different account to accept the application into your tenant. Specifically, you cannot use a Microsoft Account or a Guest account; the account must be an Azure AD account.
In the Azure Portal Enterprise Applications blade, you should now see Smallstep SSH. Open it.
Choose Users and Groups on the left:
Your Users and Groups list should now look something like this:
Do you have dots in your Azure UPNs?
Linux usernames with
.in them are not POSIX-compliant, though in practice dotted usernames work fine on many systems. If your UPNs contain dots, you can configure the
userNameattribute mapping to remove them. Just use the following expression for your
ToLower(Replace(Replace([userPrincipalName], , "(?<Suffix>@(.)*)", "Suffix", "", , ), ".", , ,"", , ))
🤦♂️ There's a quirk in Microsoft's UI here, and you may see an error when saving after turning provisioning on. If so, wait 60 seconds and try Save again.
Return to the Smallstep dashboard.
Navigate to the LOGS menu. You should see a list of success messages assocated with
SCIM-SYNC catagory items.
Navigate to the USERS menu. If the onboarding dialog is open, press
Esc to close.
You should see your Users and Groups synced over from Azure AD.
Don't see your users and groups? Microsoft's SCIM service may add a 40-minute delay after you set it up. You can force an update by clicking Restart provisioning in the Provisioning panel. Even then, it may take a minute to sync with Smallstep.