Skip to main content

Documentation Index

Fetch the complete documentation index at: https://launchdarkly-preview.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Overview

This topic explains how to integrate LaunchDarkly with Microsoft Entra ID (formerly Azure Active Directory). The Entra ID App Gallery includes LaunchDarkly and provides a LaunchDarkly application template that facilitates configuration. If you want to set up SCIM provisioning with Entra ID, read Configure SCIM.

Integrate Launch

Darkly with Entra ID To integrate LaunchDarkly with Entra ID:
  1. Log in to Entra ID.
  2. Navigate to “Enterprise applications.”
  3. Click New application:
The "Enterprise applications" page with "New application" called out.
  1. Search for the LaunchDarkly application.
  2. After you add it, follow the Microsoft Entra integration with LaunchDarkly tutorial.
If your instance of Entra ID manages multiple LaunchDarkly accounts, start a Support ticket.
During configuration, we recommend using the identifier user.mail, provided that every user has their email address attribute set. If you haven’t set attributes for every user, use the identifier user.userprincipalname.
After you set up the integration, log in to LaunchDarkly by clicking the LaunchDarkly app in Entra or through Microsoft’s My App portal. To learn more, read Microsoft’s Sign in and start apps from the My Apps portal. If members cannot log in after you set up SSO, read the troubleshooting article New users are unable to log in with Entra (formerly Azure AD) once SSO is configured.

Configure team-based or role-based access

After you integrate LaunchDarkly with Entra ID, you can configure LaunchDarkly teams or LaunchDarkly roles to map with Entra ID resources. Configuring team-based access is the most common solution, because it enables you to use Just-In-Time (JIT) user provisioning with your LaunchDarkly teams and keeps team members in sync with an Entra ID group. To learn more, read Map LaunchDarkly teams to Entra ID Security Groups. You can optionally configure role-based access to map LaunchDarkly custom roles to Entra ID user attributes or to Entra ID security groups. To learn more, read either Map custom roles to Entra User Attributes or Map custom roles to Entra Security Groups. If you are uncertain about which configuration to choose, contact your LaunchDarkly account team.

Map Launch

Darkly teams to Entra ID Security Groups After you integrate LaunchDarkly with Entra ID, you can map LaunchDarkly teams to Entra Security Groups. This keeps the members of your LaunchDarkly teams in sync with your Entra ID groups and enables you to use JIT user provisioning with Entra ID groups to automatically map users to LaunchDarkly teams. There are four steps to this process:
  1. Create Security Groups in Entra ID
  2. Create teams in LaunchDarkly
  3. Assign Entra ID Security Groups to the LaunchDarkly Enterprise Application
  4. Create a new Entra ID claim

Create Security Groups in Entra ID

First, set up a Security Group in Entra ID:
  1. In Entra ID, navigate to “Groups,” then click New group.
  2. Select the “Security” group type and enter a group name.
  3. Click Create. You are returned to the groups list.
  4. Copy the object ID of the group you want to link to a LaunchDarkly team:
The "Groups" section with the "Object Id" column called out.
You will use this group’s name and object ID in the next section. Repeat this procedure for as many groups you want to assign to LaunchDarkly teams.

Create teams in Launch

Darkly
You must map the Entra ID group name and object ID to a LaunchDarkly team before you continue. Failing to complete this step will prevent you from creating new Entra ID claims later in the procedure.
Next, create a team in LaunchDarkly using your Entra ID group name and the object ID you copied from the previous step:
  1. Click the gear icon in the left sidenav to view Organization settings.
  2. Click Teams.
  3. Click Create team. The “Create team” dialog appears.
  4. In the Name field, enter the Entra ID group name you created in the previous step.
  5. In the Key field, paste the Entra ID object ID for the group that you copied the previous section.
  6. Click Create team.
Repeat this procedure for as many teams as you want to sync with Entra ID Security Groups.

Assign Entra ID Security Groups to the Launch

Darkly Enterprise Application Then, assign Entra ID Security Groups to the LaunchDarkly Enterprise Application:
  1. In Entra ID, open the LaunchDarkly Enterprise Application.
  2. Click Users and groups. The “Users and groups” screen appears:
The "Users and groups" screen in Entra ID.
  1. On the “Groups” tab, choose the group you want to edit and click Select. The “Add Assignment” screen appears.
  2. Click None Selected under “Users and groups” to add a new group. The “Users and groups” screen appears.
The "Users and groups" screen.
  1. Choose the group you created in the Create Security Groups in Entra ID step.
  2. Click Select. You are returned to the “Add Assignment” screen.
  3. Click Assign.
Repeat this procedure for each Entra ID Security Group you created.

Create a new Entra ID claim

Finally, create a new Entra ID claim:
  1. In Entra ID, open the LaunchDarkly Enterprise Application.
  2. Click Single sign-on.
  3. Scroll to the “Attributes & Claims” section.
  4. Click Edit. The “Manage claims” form appears.
The "Attributes & Claims" section with the "Edit" button called out.
  1. Click ”+ Add a group claim.” A “Group Claims” dialog appears.
  2. Select “Groups assigned to the application” under “Which groups associated with the user should be returned in the claim?”
  3. Select “Group ID” as the source attribute.
  4. Open the Advanced options section.
  5. Check the “Customize the name of the group claim” box.
  6. Enter teamKey into the Name field:
The "Group Claims" dialog.
  1. Click Save. You are returned to the “Attributes & Claims” screen.
Close the “Attributes & Claims” screen to return to the “Single sign-on” page. To test your SSO configuration, click Test at the bottom of the page.

Map custom roles to Entra User Attributes

After you integrate LaunchDarkly with Entra ID, you can map LaunchDarkly role and custom role attributes to Entra User Attributes using Entra claims. The LaunchDarkly Entra SSO integration provides JIT user provisioning for IdP-Initiated SSO. To learn more about SSO provisioning for roles, read Roles. To set up role and customRole claims in Entra ID:
  1. In Entra ID, open the LaunchDarkly Enterprise Application.
  2. Click Single sign-on.
  3. Scroll to the “Attributes & Claims” section.
  4. Click Edit.
  5. Click Add new claim. The “Manage claim” screen appears:
The "Manage claim" screen.
  1. Enter “role” in the Name field.
  2. Leave the source as “Attribute.”
  3. Choose a source attribute from the menu that is not currently mapped, such as user.country.
  4. Click Save.
  5. Repeat steps 5-9 with “customRole,” mapping to a different unused source attribute.
SAML ignores empty fields if used in Roles or customRoles. To clear all existing roles, enter an empty string "" into the field.

Map custom roles to Entra Security Groups

In addition to Entra User Attributes, you can also assign LaunchDarkly custom roles to Entra Security Groups. There are five steps to this process:
  1. Create roles in LaunchDarkly
  2. Create groups in Entra ID
  3. Create roles for the Entra LaunchDarkly Enterprise Application
  4. Set up groups and roles in the Entra LaunchDarkly Enterprise Application
  5. Update the Entra LaunchDarkly Enterprise Application SSO configuration
Each of these steps is outlined below.

Create roles in Launch

Darkly To begin, create the roles in LaunchDarkly that you want to use with the Entra LaunchDarkly Enterprise Application. Make note of each role’s key, as you will need the key when you set up your Entra ID app role. To learn how, read Roles.

Create groups in Entra ID

After you have created your custom roles in LaunchDarkly, set up your groups in Entra ID:
  1. In Entra ID, navigate to “Groups,” then click New group.
  2. Select a group type and enter a group name.
  3. Click “No members selected” to add new members:
A new Entra ID group.
  1. Select members from the list to add to the group, then click Select:
Adding members to a new Entra ID group.
Your Entra ID members are now in the group.

Create roles for the Entra Launch

Darkly Enterprise Application Next, create roles within Entra ID:
  1. In Entra ID, navigate to Applications.
  2. Click App registrations in the left sidenav.
  3. Click the All applications tab:
The "All applications" tab on the "App registrations" page in Entra ID.
  1. Click LaunchDarkly to open the application.
  2. Navigate to “App roles” and click Create app role.
  3. Enter the role information. The value must be the key of the custom role you created during the Create custom roles in LaunchDarkly step:
A new role in Entra ID with the "Value" field called out.
  1. Click Apply.
Repeat this procedure for each new Entra app role.

Set up groups and roles in the Entra Launch

Darkly Enterprise Application Then, set up groups and roles in Entra ID:
  1. In Entra ID, open the LaunchDarkly Enterprise Application.
  2. Click Users and groups. The “Users and groups” screen appears:
The "Users and groups" screen in Entra ID.
  1. On the “Groups” tab, choose the group you want to edit and click Select. The “Add Assignment” screen appears.
  2. Click None Selected under “Users and groups” to add a new group. The “Users and groups” screen appears:
The "Users and groups" screen.
  1. Choose the group you created in the Create groups in Entra ID step.
  2. Click Select. You are returned to the “Add Assignment” screen.
  3. Click None Selected under “Select a new role” to add a new role:
Selecting a role to add to a group.
  1. Choose the role you created in the Create roles for the Entra LaunchDarkly Enterprise Application step.
  2. Click Select. You are returned to the “Add Assignment” screen.
  3. Click Assign.
Repeat this procedure for each group and role you want to set up.

Update the Entra Launch

Darkly Enterprise Application SSO configuration Finally, update Entra’s SSO configuration:
  1. In Entra ID, open the LaunchDarkly Enterprise Application.
  2. Click Single sign-on.
  3. Scroll to the “Attributes & Claims” section.
  4. Click Edit. The “Manage claims” form appears.
The "Attributes & Claims" section with the "Edit" button called out.
  1. Enter customRole in the Name field.
  2. Leave the Namespace field empty.
  3. Select “Attribute” as the source.
  4. Enter user.assignedroles in the Source attribute field.
  5. Click Save. You are returned to the “Attributes & Claims” screen.
Close the “Attributes & Claims” screen to return to the “Single sign-on” page. To test your SSO configuration, click Test at the bottom of the page. For another example of this setup process, read How to setup LaunchDarkly custom roles from Entra (formerly Azure AD) Security Groups.