Browserstack Documentation Documentation
Documentation home icon Separator

    BrowserStack user provisioning with Azure AD (aka Microsoft Entra ID)

    Connect Azure Active Directory with BrowserStack

    Introduction

    Azure Active Directory integration with BrowserStack allows you to automatically provision and de-provision users from Azure AD.

    Prerequisites

    • Enterprise plan on BrowserStack.
    • A user account in Azure AD with permission to configure provisioning (for example, Application Administrator, Cloud Application administrator, Application Owner, or Global Administrator).
    • Single Sign-on integration with BrowserStack (mandatory).
    • User with Owner permissions can setup user provisioning on BrowserStack.
    Note: Owner can also allow user provisioning setup access to one of the Admin(s). Learn more

    Supported features

    Azure AD & BrowserStack user provisioning integration currently supports the following features:

    • User provisioning & de-provisioning
    • Attribute assignment for users on BrowserStack:
      • Role assignment
      • Product access
      • Team assignment

    Step 1: Initiate provisioning setup

    Follow the steps below to setup user provisioning with Azure AD:

    1. Log in to BrowserStack as a user with Owner permissions.

    2. Go to Account > Security and select Authentication from the side-nav menu.

    3. Under Auto User Provisioning, click Configure. For configuring click Configure under Auto User Provisioning section

    4. Select the user attributes that you want to control from Azure AD and click Confirm. Select attributes to be controlled via Azure AD

    5. Copy the Tenant URL and Secret Token. These values will be entered in the Tenant URL and Secret Token fields in the Provisioning tab of your BrowserStack application in the Azure portal. Click Done. Provisioning tab of your BrowserStack application in the Azure portal

    6. Your provisioning configuration has been saved on BrowserStack. Enable user provisioning in BrowserStack once the provisioning setup on Azure AD is completed, to prevent blocking of inviting new users from BrowserStack Account.

    Step 2: Configure app on Azure AD

    1. Sign in to the Azure portal. Select Enterprise Applications, then select All applications. Select Applications inside enterprise applications

    2. In the applications list, select BrowserStack Single Sign-on. The BrowserStack Single Sign-on link in the Applications list

    3. Select the Provisioning tab. Provisioning tab

    4. Set the Provisioning Mode to Automatic. Azure Provisioning Mode automatic

    5. Under the Admin Credentials section, input your BrowserStack Tenant URL and Secret Token. Click Test Connection to ensure Azure AD can connect to BrowserStack. If the connection fails, ensure your BrowserStack account has Admin permissions and try again. Test connection to browserstack with provided credentials

    6. Once the connection is successful, turn the Provisioning Status to ON. Test provisioning status ON

    7. In the Notification Email field, enter the email address of a person who should receive the provisioning error notifications and select the Send an email notification when a failure occurs check box.

    8. Select Save.

    Step 3: Custom attribute mappings

    1. Under the Mappings section, click Provision Azure Active Directory Users.

    2. There will be default attributes visible under Attribute Mappings. These attribute-mappings are mandatory ( e.g. userName,name.givenName, name.familyName ) for application to function correctly. For these required attributes, the Delete feature is unavailable in Azure. Attribute Mapping Focused Section in BrowserStack SSO Provisioning

    3. For the userPrincipalName mapping, click Edit. Under Apply this mapping dropdown, you need to select Always as the value. Select Always for userPrincipalName mmapping

    4. Apart from required attributes, you will need to configure the custom attributes in order to configure role, team and product-access for any users on BrowserStack: BrowserStack attributes

    5. In order to configure the custom attrubute, click Add New Mapping.

    6. Under Edit Attribute, select the Mapping type. Under Edit Attribute section, select the Mapping type from the dropdown

    Mapping types

    Mapping type allows you to define how the custom attributes are populated.You can either use Direct, Constant, or Expression mapping type depending on your needs. Details on how to use a particular mapping type:

    A. Direct mapping

    In case of Direct mapping, the target attribute is populated with the value of an attribute of the linked object in Azure AD.

    1. Click Mapping type dropdown. Select Direct.

    2. Under Edit Attribute, you can click Target attribute dropdown, to view the 3 custom attributes. You need to map each of these target attributes to a source attribute.

    3. When customizing attribute mappings for user provisioning, you can select the attribute you want to map to any of the target attribute. You can either use existing available source attributes or you can also create and add new source attributes:

    Users in Azure AD Cloud For users only in Azure AD, you can use Microsoft Graph or PowerShell to extend the user schema for users in Azure AD.
    Users in on-premise Active Directory For users in on-premise Active Directory, you must sync the users to Azure AD cloud. You can sync users and attributes using Azure AD Connect. Azure AD Connect automatically synchronizes certain attributes to Azure AD, but not all attributes.

    B. Expression mapping

    If you dont want to create a Source attribute, you can make use of Expression mapping. In this case, the target attribute is populated based on the result of a script-like expression.

    1. Click Mapping type dropdown. Select Expression.

    2. Define the Expression for populating target attribute. For expressions, you can use the user resource type attributes that are supported by the Azure AD directory user profile. Example for expressions:

    Target attribute Expression
    urn:ietf:params:scim:schemas:extension:Bstack:2.0:User:bstack_product Switch([department], "Live-Testing", "team1", "App-Automate-Testing","team2", "App-Live-Testing")
    urn:ietf:params:scim:schemas:extension:Bstack:2.0:User:bstack_role Switch(SingleAppRoleAssignment([appRoleAssignments]), "User", "Global administrator", "Owner", "Application Administrator", "Admin")

    C. Constant mapping

    If you want the target attribute to be populated with a specific string you specified, you can make use of Constant mapping. Example for constants:

    Target attribute Constant Value
    urn:ietf:params:scim:schemas:extension:Bstack:2.0:User:bstack_role User
    urn:ietf:params:scim:schemas:extension:Bstack:2.0:User:bstack_product Live-Testing
    Note: For more details on attribute-mappings, see Understanding attribute-mapping types.

    BrowserStack attributes description

    The details on BrowserStack’s attribute mapping, their possible values and description:

    BrowserStack attribute: urn:ietf:params:scim:schemas:extension:Bstack:2.0:User:bstack_role

    1. Default role assigned is User. This is possible in two scenarios:
    2. Supported attribute values (when attribute controlled from Azure AD):
    Values Description
    User User role will be assigned
    Admin Admin role will be assigned
    Owner New Owner will be assigned, the current/old owner will be replaced with the new owner. The current/old owner will become an admin.
    No Value
    Empty or Any other value    		 The user is created as User by default.

    BrowserStack attribute: urn:ietf:params:scim:schemas:extension:Bstack:2.0:User:bstack_team

    1. By default a user is added to Group/Organization on BrowserStack. This is possible in two scenarios:
    2. Supported attribute values (when attribute controlled from Azure AD):
    Values Description
    Example: team_web_testing User will get added to an existing team (if a team exists with this name). If the team does not exist, a new team will be created with the passed attribute value.
    No value/Empty User will be assigned as part of main Group.

    BrowserStack attribute: urn:ietf:params:scim:schemas:extension:Bstack:2.0:User:bstack_product

    1. By default no product access is assigned. This is possible in two scenarios:
    2. Supported attribute values (when attribute controlled from Azure AD):
    Values Product access assigned
    Visual-Testing Percy
    Automate-Testing Automate
    Live-Testing Live
    App-Automate-Testing App Automate
    App-Live-Testing App Live
    App-Percy App-Percy
    Accessibility-Testing Accesssibility Testing
    Test-Observability Test Observability
    Note: Multiple values can be passed for product access in a comma-separated string. Example: Live-Testing,Visual-Testing

    Step 4: Enable user provisioning

    Once you have completed the above steps, go to on Browserstack and click Enable to enable user provisioning. If you don’t enable it, you will be locked out of inviting new users via BrowserStack UI. Enable user provisioning

    Managing users from app on Azure AD

    Once auto user provisioning is enabled, the user list is controlled and managed from the IdP.

    1. For your existing users on BrowserStack, we would suggest that as a first step, assign all these users to the BrowserStack application in Azure AD. This would avoid any discrepancies between the user list on Browserstack and Azure AD.
      • By assigning user(s) to the application, they will get provisioned on BrowserStack.
      • Users will be logged out of the BrowserStack, and will be redirected to log-in via SSO.

    2. To add new users on BrowserStack, add these users in Azure AD and assign them to BrowserStack application via the Assignments tab. Invite modal will no longer be visible in the Account page anymore. If there were any existing invites already sent (before user provisioning was enabled), those invites will become invalid.

    3. Any user can be removed from BrowserStack or their access by revoked by removing the user from the BrowserStack application on Azure AD.
    Note: You cannot delete the current Owner from Okta. Assign Owner role to another user, before deleting the current Owner. Updating the owner will log out the current owner as well as the old owner from their current session for security reasons

    Monitor your deployment

    Once you’ve configured provisioning, use the following resources to monitor your deployment:

    1. Use the provisioning logs to determine which users have been provisioned successfully or unsuccessfully.

    2. Check the progress bar to see the status of the provisioning cycle and how close it is to completion.

    3. If the provisioning configuration seems to be in an unhealthy state, the application will go into quarantine. Learn more about quarantine states in the quarantine status documentation.

    Troubleshooting

    Below is a list of possible errors that might be encountered and how to resolve them:

    Email is already part of a different organization account on BrowserStack

    Resolution: User is already present on BrowserStack under a different organization, please reach out to BrowserStack support to get that account deleted before provisioning the user to your current organization account. Error - Email is already part of a different organization account on BrowserStack

    Invalid parameter or attribute

    Resolution: Role/Product is not a valid use-case, please use the attribute values provided above. Error - Invalid parameter or attribute

    Owner deletion

    Resolution: Assign ownership to a different user before deletion of this user. Owner cannot be deleted, BrowserStack account needs a user to have Owner role assigned. Error - Owner deletion

    Incompatible attributes

    Resolution: You are assigning incompatible user attributes, for example Owner cannot have a team assigned. Error - Incompatible attributes

    Licenses not available

    Resolution: You have used up all your licenses for the product, please unassign users or add more licenses. Contact your Account Executive to get information on adding licenses. Error - Licenses not available

    Note: When user is deactivated on Azure AD, they will be deleted from your BrowserStack account. Whenever user is activated, a new user will be created on BrowserStack. This would lead to a new id being created.

    Escalation/Support

    Please connect with support@browserstack.com for any escalations or support.

    We're sorry to hear that. Please share your feedback so we can do better

    Contact our Support team for immediate help while we work on improving our docs.

    We're continuously improving our docs. We'd love to know what you liked






    Thank you for your valuable feedback

    • ON THIS PAGE

      Is this page helping you?

      Yes
      No

      We're sorry to hear that. Please share your feedback so we can do better

      Contact our Support team for immediate help while we work on improving our docs.

      We're continuously improving our docs. We'd love to know what you liked






      Thank you for your valuable feedback!

      By clicking 'Accept All', you agree to the use of all types of cookies to enhance site navigation. For more information, please visit our Cookie Policy.

      Accept All Reject All

      Talk to an Expert
      Download Copy