Identity Provider
The Identity Provider tab (under Tenant Admin > Users) lets you connect your organization's own Azure Entra directory to your Studio tenant. Once connected, users who sign in from that directory are automatically provisioned into your tenant with a Studio role based on the Entra groups they belong to — so you manage Studio access from your own directory instead of adding users by hand.
How it works
When a user signs in, Studio reads which Entra directory they belong to. If that directory matches your configured (and verified) directory, Studio looks at the user's Entra group membership and:
- If they are in one of your mapped groups, they are added to your tenant with the mapped role.
- If they are in several mapped groups, the highest-privilege role wins (Admin > User > Read-Only).
- If they are in none of your mapped groups, any access that was previously provisioned for them is removed.
Provisioning is evaluated at sign-in. Changes you make here take effect the next time a user signs in; they do not interrupt sessions that are already active.
Before you start
- You need the directory (tenant) ID of your Azure Entra directory (a GUID). In the Azure portal it is shown on the Microsoft Entra ID > Overview page.
- You need the object ID of each Entra group you want to map. Find these under Microsoft Entra ID > Groups; open a group and copy its Object Id.
- To verify the directory, a Global Administrator of your Entra directory must approve a one-time consent (see below). If you are not an Entra admin yourself, you can start the step and hand the approval link to your IT administrator.
Step 1 — Enter and verify your directory
- Open Tenant Admin > Users > Identity Provider.
- Enter your Entra Tenant ID and click Save.
- Click Verify directory. You are redirected to Microsoft's consent page. A Global Administrator of that directory signs in and approves.
- On success you return to Studio and the directory shows a green Verified badge.
Verification proves that your organization actually controls the directory. Provisioning cannot be enabled until the directory is verified. If you later change the directory ID, it must be verified again.
Step 2 — Map Entra groups to Studio roles
In the Group Mappings table, fill in the Entra group name (for your reference) and group object ID for each Studio role you want to grant:
- Admin — full tenant administration.
- User — create, edit, and run Actions.
- Read-Only — view Actions and Runs only.
You can map as few or as many roles as you like. See Roles and Permissions for what each role can do. Leave a row blank to not map that role.
Step 3 — Enable provisioning
Set User provisioning to Enabled and click Save. From now on, matching users are provisioned automatically when they sign in.
Turning provisioning off
Switching User provisioning to Disabled stops auto-provisioning and removes access from users who were auto-provisioned, the next time they sign in. Users you added manually on the Users tab are never affected — only memberships created by the identity provider are removed.
Good to know
- One directory per tenant. An Entra directory can be connected to only one Studio tenant.
- Manual users are safe. Provisioning only ever changes memberships it created; it never edits or removes users you added by hand.
- Global Admins are not affected. Studio Global Administrators are never provisioned as tenant users.
- Auditing. Enabling or disabling provisioning, changing the configuration, and verifying the directory are recorded in the tenant Audit Log, including who made the change.
- Guest users. A guest (B2B) user's directory is their home directory, not the directory that invited them, so provisioning matches their home directory.