Overview
This document will walk through setting up a roles attribute on the Ramp user profile in Microsoft Entra that will sync over to Ramp user roles via your existing SCIM integration. For help with initial SCIM setup, visit this article.
Note: Role assignments from Entra are currently only supported for businesses with access to the full Ramp suite, including card issuing. Other Entra SCIM features are still fully available.
How it works
Navigate to App registrations in the far left sidebar.
Under the All applications tab, select your Ramp integration. This will take you to the application's registration overview page.
From here, navigate to App roles in the sidebar.
Create roles matching the desired Ramp roles by clicking Create app role and inputting information on each role you’re creating. Supported roles include:
| Display name | Value |
| Admin | BUSINESS_ADMIN |
| Cardholder | BUSINESS_USER |
| Bookkeeper | BUSINESS_BOOKKEEPER |
| Guest | GUEST_USER |
| IT Admin | IT_ADMIN |
The completed setup for each role should mirror the image below; the description can be any desired description.
Other default roles can be removed from the application; Ramp will not recognize these other roles.
To apply these roles to users in the Ramp application, navigate Enterprise applications in the left sidebar and then click into your Ramp enterprise application.
In your Ramp application, click Provisioning, then Attribute mapping (Preview), then Provision Microsoft Entra ID Users to reach the mappings for your application:
At the bottom of the screen, click Show advanced options and then Edit attribute list for customappsso.
Here, add “roles” as a new attribute with the “String” type. Leave the other columns unchecked.
Save this configuration at the top of the screen, and then navigate back to the Attribute mapping page using the link at the top of the page.
Now, click Add New Mapping below the table of existing attribute mappings:
Enter the following configuration for role assignments:
Ensure that the Expression value is correct:
AssertiveAppRoleAssignmentsComplex([appRoleAssignments])
Finish adding the mapping and save the new mapping in the attribute mapping menu.
Entra is now set to provision user roles to Ramp! Adding roles to new or existing users will result in those roles being applied in Ramp.
There are multiple ways to apply roles to users. When adding a user/group in the Users and groups menu under provisioning, you can select a role to assign to the newly-assigned users:
Similarly, existing users can have their roles updated by checking them and clicking Edit assignment, which will lead to the same menu.
Note that some roles—in particular, Guest User—can only be assigned during user creation. To avoid issues, ensure that users who need this role are assigned to the correct role when they are initially provisioned. One way to do this easily is to assign users through an Entra group and assign a role to the entire group at once.
Once users are provisioned, they should show up in the People menu in Ramp within ~20 minutes: