Skip to main content

Configure Automated User Provisioning with Microsoft Entra

Configure CoreWeave Automated User Provisioning with Microsoft Entra

Automated User Provisioning (AUP) lets you instantly sync users and groups from your identity provider (IdP) to the Cloud Console, using the SCIM (System for Cross-domain Identity Management) standard. You no longer need to send invites or wait for users to log in.

This guide shows how to set up AUP with Microsoft Entra as the IdP.

Prerequisites

  • Admin access to the CoreWeave Cloud Console.
  • Admin access to the Microsoft Entra dashboard.

Create SAML integration

You need to configure SAML SSO first, as AUP relies on it for authentication.

  1. Open the Cloud Console and the Microsoft Entra dashboard in separate windows.

    • In Cloud Console: Go to IAM > SAML SSO in the sidebar, then click Configure SAML.
    • In Entra: Open the Microsoft Entra dashboard at entra.microsoft.com.
      • Click Enterprise Apps, select + New Application in the Top Bar, and select Create your own application.
      • Choose an appropriate name for your CoreWeave Organization and select Create your own application not in the Enterprise Gallery.
      • When you return to the Enterprise Apps page, select your new application and click Single sign on under the Manage menu in the left bar.

    For the next few steps, the Cloud Console displays details for your integration that you'll need to provide in Entra.

  2. In Entra, select SAML 2.0 under the Select a single sign-on method.

  3. Under field 1: Basic SAML Configuration, click Edit.

  4. Copy the ACS URL from the Cloud Console and paste it into Entra's Reply URL (Assertion Consumer Service URL) field.

  5. Copy the Entity ID from the Cloud Console and paste it into Entra's Entity ID field.

  6. Under field 2: Attributes and Claims click Edit.

  7. For each claim under Additional Claims, map the following fields to each Azure value by clicking each claim and editing the top Name field:

    • Name: first_name; Value: user.givenname
    • Name: last_name; Value: user.surname
    • Name: email; Value: user.email

  8. Under section 3: SAML Certificates click Edit. On the following menu under Signing Option set this to Sign SAML Response and Assertion. Click Save to save settings.

  9. Return to section 3: SAML Certificates. Copy the URL from the App Federation Metadata URL field into your clipboard.

  10. Return to CoreWeave Cloud Console. Click the Metadata URL field and paste the URL you copied from Entra.

  11. In Cloud Console, click Next and then click Deploy SSO.

  12. Return to Entra, and scroll to the bottom of the page. Click Test, and then in the Test Single Sign on with your [Enterprise App Name] dialog click Test. You should be prompted to log in via your Microsoft account into CoreWeave Console. If successful, you will complete the login and arrive at the Clusters Page.

Configure one-way SCIM

Set up one-way SCIM provisioning so the Cloud Console can receive user and group information from Entra:

  1. In the Cloud Console, toggle Enable SCIM. Note the SCIM Base URL and SCIM Token fields. You'll need both later.
  2. In Entra:
    • On your Enterprise App's left navigation bar, click Provisioning (located under Single Sign On).
    • Click Connect your application under Create configuration.
    • Copy the SCIM Base URL from the Cloud Console and paste this into the Tenant URL field in Entra.
    • Create a SCIM Token with a name of your choice (for example, Entra ID). Copy the token and paste it into the Secret token field in Entra.
    • Click Test connection. If this was successful, you should see a green alert at the top right corner of your browser window.
    • Click Create.

Assign users and groups

To complete the integration, you'll assign users to a group in your IdP, and then assign the group to your application. Finally, you'll test the integration by checking whether the users sync to Cloud Console.

  1. In Cloud Console, open the list of Users in your organization.
  2. Assign users to a group in Entra:
    • In Entra, click on Users and groups on your Enterprise App's left menu under Manage.
    • Click Add user/group to select the users and groups that should be synced with CoreWeave Cloud IAM.
  3. In Cloud Console, refresh the page showing your Users list. The users in the group you just assigned in Entra appear immediately in Cloud Console.

Remove the Department attribute from attribute mappings

The department attribute in Microsoft Entra can prevent groups from syncing properly with CoreWeave IAM. Before syncing groups, remove this attribute:

  1. Click on Enterprise apps, and select the app that represents your CoreWeave integration.
  2. Under the Manage heading on the left menu select Attribute Mapping (Preview).
  3. Select Provision Microsoft Entra ID Users.
  4. Find the department attribute, and under Remote click Delete.
  5. Navigate to the top of the page and click Save to save your attribute mapping.

This adjustment removes the department attribute from the attribute mapping used for syncing with CoreWeave, but does not change the attribute inside Entra itself.

  1. Configure a regular Entra group for all the users you want to push to CoreWeave.
  2. Configure regular Entra groups for all the subgroups that you want to represent in Cloud Console.
  3. For legacy CoreWeave IAM deployments, ensure that your selected Entra groups and subgroups are not named any of the default user groups, or for every push group with the same name as a default user group create a new user group with the appropriate default policies attached.

Legacy default user groups

Legacy CoreWeave IAM deployments automatically provisioned a set of default user groups with specific policies attached. The policies attached to these groups were necessary for operating CoreWeave services. These legacy default user groups included:

  • admin
  • metrics
  • read
  • write
  • billing_viewer

When syncing groups with legacy CoreWeave IAM deployments with SCIM, you must resolve the naming conflict by either avoiding syncing push groups with these names, or for each push group with the same name as a default user group:

  • Create a new user group in CoreWeave IAM with a new preferred name.
  • Assign the policies attached to a default user group. For example, for an administration group use the policies attached to the admin group.
  • Delete the default user group prior to configuring a push group with the same name.
Last updated on