> ## Documentation Index > Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt > Use this file to discover all available pages before exploring further. # Configure Automated User Provisioning with Microsoft Entra > Configure CoreWeave Automated User Provisioning with Microsoft Entra Automated User Provisioning (AUP) lets you instantly sync users and groups from your identity provider (IdP) to the Cloud Console, using the SCIM (System for Cross-domain Identity Management) standard. You no longer need to send invites or wait for users to sign in. This guide shows how to set up AUP with Microsoft Entra as the IdP. When you finish, SAML SSO and one-way SCIM are configured, and you can assign Entra users and groups so they sync into CoreWeave IAM. ## Prerequisites You need the following access: * Admin access to the CoreWeave Cloud Console. * Admin access to the Microsoft Entra dashboard. ## Create SAML integration Configure SAML SSO first, because AUP relies on it for authentication. 1. Open the Cloud Console and the Microsoft Entra dashboard in separate windows. * In the Cloud Console: Navigate to the [SAML SSO](https://console.coreweave.com/organization/iam/sso) page and click **Configure SAML**. * In Entra: Open the Microsoft Entra dashboard at [entra.microsoft.com](https://entra.microsoft.com). * Click **Enterprise Apps**, select **+ New Application** in the top bar, and select **Create your own application**. * Choose an appropriate name for your CoreWeave organization and select **Integrate any other application you don't find in the gallery (Non-gallery)**. * When you return to the Enterprise Apps page, select your new application and click **Single sign on** under the **Manage** menu in the left bar. For the next few steps, the Cloud Console displays details for your integration that you need to copy into Entra. 2. In Entra, select **SAML 2.0** under **Select a single sign-on method**. 3. Under field 1: **Basic SAML Configuration**, click **Edit**. 4. Copy the *ACS URL* from the Cloud Console and paste it into Entra's *Reply URL (Assertion Consumer Service URL)* field. 5. Copy the *Entity ID* from the Cloud Console and paste it into Entra's *Entity ID* field. 6. Under **field 2: Attributes and Claims**, click **Edit**. 7. For each claim under **Additional Claims**, map the following fields to each Azure value by clicking each claim and editing the top *Name* field: | Name | Value | | ------------ | ---------------- | | `first_name` | `user.givenname` | | `last_name` | `user.surname` | | `email` | `user.mail` | 8. Under section **3: SAML Certificates**, click **Edit**. On the following menu under *Signing Option*, set this to *Sign SAML Response and Assertion*. Click **Save** to save settings. 9. Return to section **3: SAML Certificates**. Copy the URL from the *App Federation Metadata URL* field into your clipboard. 10. Return to the CoreWeave Cloud Console. Click the **Metadata URL** field and paste the URL you copied from Entra. 11. In the Cloud Console, click **Next** and then click **Deploy SSO**. 12. Return to Entra, and scroll to the end of the SAML configuration page. Click **Test**, and then in the **Test Single Sign on with your \[Enterprise App Name]** dialog click **Test**. You should be prompted to sign in through your Microsoft account into CoreWeave Console. If the test succeeds, you complete sign-in and arrive at the Clusters page. ## Configure one-way SCIM Set up one-way SCIM provisioning so the Cloud Console can receive user and group information from Entra: 1. In the Cloud Console, on the [SCIM Configuration](https://console.coreweave.com/organization/iam/scim) page, toggle **Enable SCIM API** and **Enable Automated User Provisioning**. Record the **SCIM Base URL** and **SCIM Token** values. You need both later. 2. In the Cloud Console, create a new **SCIM Token** with a name of your choice (for example, **Entra ID**). 3. In Entra: * On your Enterprise App's left navigation bar, click **Provisioning** (located under **Single Sign On**). * Click **Connect your application** under *Create configuration*. * Copy the **SCIM Base URL** from the Cloud Console and paste this into the **Tenant URL** field in Entra. * Copy the **SCIM Token** from the Cloud Console and paste it into the **Secret token** field in Entra. * Click **Test connection**. If the test succeeds, you should see a green alert at the top right corner of your browser window. * Click **Create**. ## Assign users and groups To complete the integration, assign users to a group in your IdP, and then assign the group to your application. Then test the integration by checking whether the users sync to the Cloud Console. 1. In the Cloud Console, navigate to the [Users](https://console.coreweave.com/organization/users) page to view a list of all users in your organization. 2. Assign users to a group in Entra: * In Entra, click **Users and groups** on your Enterprise App's left menu under **Manage**. * Click **Add user/group** to select the users and groups that should sync with CoreWeave Cloud IAM. 3. In Entra, toggle the **Provisioning Status** to **On** under the **Provisioning** section. (This step is [required when enabling provisioning for the first time](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/configure-automatic-user-provisioning-portal#provisioning-status).) 4. In the Cloud Console, refresh the page showing your **Users** list. The users in the group you just assigned in Entra appear immediately in the Cloud Console. ## Map SSH keys for SUNK If you use [SUNK User Provisioning (SUP)](/products/sunk/manage_sunk/manage_cluster_access/sunk_user_provisioning), you can sync SSH public keys from Entra to CoreWeave so that users can use SSH to connect to SUNK login nodes. This requires creating a custom extension attribute in Entra and mapping it to CoreWeave's SCIM endpoint. If you are not using SUNK, skip this section. ### Create the SSH key extension attribute Entra does not include a built-in attribute for SSH keys. You must create a custom extension property on your Enterprise Application's backing application registration. 1. In PowerShell, install the Microsoft Graph module if you have not already: ```powershell theme={"system"} Install-Module Microsoft.Graph -Scope CurrentUser ``` 2. Connect to Microsoft Graph. This operation requires the `Application.ReadWrite.All` permission: ```powershell theme={"system"} Connect-MgGraph -Scopes "Application.ReadWrite.All" ``` 3. Find the **Object ID** of the application registration that backs your CoreWeave Enterprise Application. In the Entra portal, navigate to **App registrations** > **All applications**, find your CoreWeave app, and copy the **Object ID** (not the Application ID). 4. Create the extension property. Replace `[APP-OBJECT-ID]` with that object ID: ```powershell theme={"system"} New-MgApplicationExtensionProperty ` -ApplicationId [APP-OBJECT-ID] ` -Name "sunkSshKeys" ` -DataType "String" ` -TargetObjects @("User") ``` Entra generates a prefixed name like `extension_[APP-ID-NO-HYPHENS]_sunkSshKeys`. This prefixed name is what you reference within Entra (for example, in PowerShell commands and Terraform). CoreWeave's SCIM endpoint only sees the `sunkSshKeys` portion after the namespace mapping, so the prefix does not affect provisioning. ### Set the SSH key on a user profile Writing custom extension attributes to user profiles requires the `User.ReadWrite.All` Microsoft Graph permission. The more limited `User.ReadWrite` scope is not sufficient for custom extension attributes. To set an SSH key on a user profile, replace `[USER-EMAIL]` with the user's email address, replace the extension attribute name with the prefixed name Entra generated, and replace `[SSH-PUBLIC-KEY]` with the full public key string: ```powershell theme={"system"} Update-MgUser -UserId [USER-EMAIL] ` -AdditionalProperties @{ extension_[APP-ID-NO-HYPHENS]_sunkSshKeys = "[SSH-PUBLIC-KEY]" } ``` For example, `[SSH-PUBLIC-KEY]` might look like `ssh-ed25519 AAAAC3Nza...`. ### Add the attribute mapping 1. In Entra, navigate to your CoreWeave Enterprise Application. 2. Under **Manage**, select **Provisioning** > **Attribute Mapping (Preview)**. 3. Select **Provision Microsoft Entra ID Users**. 4. Click **Add New Mapping** and configure the following fields: | Field | Value | | ---------------------------------- | ------------------------------------------------------------------------------------- | | Mapping type | Direct | | Source attribute | `extension_[APP-ID-NO-HYPHENS]_sunkSshKeys` | | Target attribute | `urn:coreweave:params:scim:schemas:extension:coreweave:2.0:CoreWeaveUser:sunkSshKeys` | | Match objects using this attribute | No | | Apply this mapping | Always | 5. Click **OK**, then click **Save** at the top of the attribute mappings page. ### Verify the sync 1. In Entra, trigger a provisioning cycle (or wait for the next automatic cycle). 2. In the Cloud Console, navigate to **Users**, click the three-dot menu next to the target user, and select **View Details**. 3. Under **Slurm Attributes**, confirm the **SSH Keys** field contains the public key you set in Entra. If the key does not appear, check the Entra provisioning logs for errors. For more details about verifying SSH keys and configuring SUP, see [Provision users in SUNK](/products/sunk/manage_sunk/manage_cluster_access/sunk_user_provisioning). ## Adjust attribute mappings ### Remove the Department attribute The **department** attribute in Microsoft Entra can prevent groups from syncing properly with CoreWeave IAM. Before syncing groups, remove this attribute: 1. Click **Enterprise apps**, and select the app that represents your CoreWeave integration. 2. Under the **Manage** heading on the left menu, select **Provisioning** > **Attribute Mapping (Preview)**. 3. Select **Provision Microsoft Entra ID Users**. 4. Find the **department** attribute, and under *Remote* click **Delete**. 5. Navigate to the top of the page and click **Save** to save your attribute mapping. This adjustment removes the **department** attribute from the attribute mapping used for syncing with CoreWeave, but does not change the attribute inside Entra itself. ## Sync groups ### Nested groups CoreWeave SCIM does not support nested groups. If you assign a parent Entra group whose **Members** list includes references to other groups, provisioning fails for those nested group members. To avoid sync errors, use one of the following approaches: * Assign only flat (leaf) groups to your Enterprise App. Do not assign parent groups that contain sub-groups. * Add a [scoping filter](https://learn.microsoft.com/en-us/entra/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts) on the group provisioning mapping to exclude parent groups. * Use an Entra [dynamic group](https://learn.microsoft.com/en-us/entra/identity/users/groups-dynamic-membership) to flatten nested memberships into a single flat group before syncing. ### Recommended group sync configuration 1. Configure a regular Entra group for all the users you want to push to CoreWeave. 2. Configure regular Entra groups for all the subgroups that you want to represent in the Cloud Console. 3. For legacy CoreWeave IAM deployments, ensure that your selected Entra groups and subgroups are not named any of the default user groups, or for every push group with the same name as a default user group create a new user group with the appropriate default policies attached. ### Legacy default user groups Legacy CoreWeave IAM deployments automatically provisioned a set of default user groups with specific policies attached. The policies attached to these groups were necessary for operating CoreWeave services. These legacy default user groups included: * `admin` * `metrics` * `read` * `write` * `billing_viewer` When syncing groups with legacy CoreWeave IAM deployments with SCIM, you must resolve the naming conflict by either avoiding syncing push groups with these names, or for each push group with the same name as a default user group: * Create a new user group in CoreWeave IAM with a new preferred name. * Assign the policies attached to a default user group. For example, for an administration group use the policies attached to the `admin` group. * Delete the default user group before configuring a push group with the same name.