Azure AD Group Sync

This guide will detail how to sync Azure AD groups to Turbot, allowing administrators to grant permissions to resources based off of said groups rather than individually assigning to users.

This guide assumes that the Azure AD directory is configured in Turbot and it has been verified that users can log in.

Configure Turbot Directory for Groups

The mod @turbot/turbot-iam must be on version 5.6.0 or above to enable group syncing!

  1. Navigate to the Permissions tab in Turbot (designated with a user icon) and then click Directories.
  2. Select the pencil icon in line with the Azure AD directory. This will bring up the directory edit window.
  3. Open the Groups section and fill in the required values.

    • Profile Groups Attribute: This value should match the name that was configured in the SAML app. Typically, this will be memberOf.
    • Group Filter: An optional field that accepts a regex expression, which will limit the groups that Turbot will sync. Leave this blank if all groups should be added.
    • Allow Group Syncing: Set this to Enabled.
  4. Click Update to save the configuration.

Congrats! The Azure AD directory in Turbot is now ready to sync directories. However, the Azure AD must be configured such that Turbot can parse the response.

Configure Group Attributes in Azure AD

This will require rights in Azure that allow modification to the Turbot application.

  1. Log into the Azure portal with sufficient rights and type Enterprise Applications into the search bar. Select the Enterprise Applications option.
  2. With All Applications selected on the left side menu, search for the relevant Turbot Azure AD SAML application.
  3. Under Manage, find the Single sign-on menu, then click edit for the User Attributes & Claims.
  4. Modify the additional claims to match this screenshot:


  1. Ensure that the desired users and groups are added to the Turbot SAML app in Azure AD. Failure to have users and groups provisioned for the application will cause issues with Turbot recognizing who belongs to what groups and will prevent access into Turbot via Azure AD. More information can be found in the Microsoft documentation, Managing user assignment for an app in Azure Active Directory.

Note: SAML will sync groups upon login and will NOT fetch groups. As users log in over time, groups will be added when new ones appear. Once the group has been created in Turbot, it can be used to assign permissions to resources.