Microsoft Entra ID

Last updated on 9 Feb 2026

6 min read

On this page

This guide shows you how to set up SCIM provisioning with Microsoft Entra ID for your Sketch Workspace. If you get stuck during setup, contact us and we’ll help you out.

Start here if you already use Entra ID for SSO. You’ll need to delete the Gallery app and create a custom app before continuing.

1. Create a custom application

Navigate to Enterprise apps > All applications, then click New application.
Select Create your own application.
Name your application and keep the preselected option Integrate any other application you don’t find in the gallery (Non-gallery).

An image showing how to create a custom application in Microsoft Entra ID

Configure SSO

Set up SAML by adding the Entity ID, ACS, and sign-on URLs.
Update the SSO attributes and claims in Entra ID. You’ll need to change the default values for the SSO attributes and claims.

Manually review and create new claim mappings for a successful sign-in. Incorrect mappings are a common cause of sign-in issues.
- Email: Map the email claim to userPrincipalName.
- Given Name (First Name): Map to user.givenname.
- Surname: Map to user.surname.
Save your changes to the attribute mappings.

Upload the metadata to Sketch

Download the Federation Metadata XML file from Entra ID.
Sign in to Sketch as an admin.
Navigate to Settings > Single Sign-on.
Open the Configure Sketch tab, then drag and drop the XML file.

For more details on configuring SSO, see our Entra ID SSO documentation.

2. SCIM provisioning setup

Enable provisioning in Entra ID and Sketch

In your custom Entra ID application, go to Provisioning and enable SCIM. In the Admin credentials section, enter the following:

Authentication method: Bearer authentication
Tenant URL: SCIM endpoint URL from Sketch
Secret token: SCIM token from Sketch

To get these values from Sketch:

Sign in to your Sketch Workspace as an admin.
Go to Settings > Single sign-on.
Scroll to the bottom of the page and click Enable SCIM.
Copy the SCIM endpoint URL (Tenant URL) and SCIM token (Secret token).
Paste these values into the provisioning settings in Entra ID.

An image showing the provisioning credentials section in Microsoft Entra ID

Test the connection

After pasting the Tenant URL and token, click Test connection to check everything is set up correctly.

Configure app roles

Before SCIM can provision roles correctly, you’ll need to configure them in the application manifest.

In Entra ID, go to App registrations.
Select your custom app.
Configure the application roles (App Roles).

Create two new roles: Editor and Viewer. Make sure the value field is in lowercase (editor and viewer) to avoid capitalisation issues in provisioning.

An image showing how to configure app roles in Microsoft Entra ID

Disable group provisioning

Sketch doesn’t support creating groups through the API — only users. To handle this, Entra ID uses group expansion: it reads the members of a group and provisions those users individually, instead of trying to create a group in Sketch.

Adjust SCIM attribute mappings

For provisioning to work correctly, you’ll need to update the default SCIM attribute mappings in Entra ID.

Go to Provisioning → Edit attribute mappings for your custom application.
Update emails[type eq "work"].value by changing the source attribute to userPrincipalName.

An image showing the SCIM attribute mappings in Microsoft Entra ID

Create an access level attribute

Go to Enterprise apps and select your custom app.
Click Provisioning.
Click Provisioning again to open the provisioning settings.
Expand the Mappings section and select Provision Microsoft Entra ID Users.
Scroll to the bottom and click Show advanced options, then select Edit attribute list for customappsso.
Scroll to the bottom of the attribute list and add a new attribute with the following value:
```
urn:ietf:params:scim:schemas:extension:sketch:1.0:User:accessLevel
```
Keep String selected and check the Required checkbox.

An image showing how to create the access level attribute in Microsoft Entra ID

Create a mapping for the access level attribute

Map the Entra ID app role (editor or viewer) to the Sketch access level using an advanced mapping.

Go to Enterprise apps and select your custom app.
Click Provisioning.
Click Provisioning again, then expand the Mappings section.
Select Provision Microsoft Entra ID Users.
Scroll to the bottom and click Add new mapping.

Use the following settings:
- Mapping type: Expression
- Expression:
```
IIF(SingleAppRoleAssignment([appRoleAssignments])="", "viewer", ToLower(SingleAppRoleAssignment([appRoleAssignments]), ))
```
- Target attribute: Select the access level attribute you created in the previous section.
Click OK to save.

An image showing how to create the access level mapping in Microsoft Entra ID

3. Assign groups or users

Create the groups

You’ll need two security groups — one for Editors and one for Viewers. You can create new groups or reuse existing ones.

In Entra ID, click Groups in the sidebar.
For each group, set the following:
- Group type: Security
- Group name: Use a clear, descriptive name, such as sketch-users-editor and sketch-users-viewer.
- Membership type: Choose what fits your setup:
  - Assigned — assign users manually
  - Dynamic user — define a rule to match users
  - Dynamic device — define a rule to match devices
If you’re using assigned membership, add users to the group.

An image showing how to create security groups in Microsoft Entra ID

Assign the groups to the custom app

This is where group membership is mapped to Sketch access levels.

Go to Enterprise apps and select your custom SCIM/SSO app.
Select Users and groups in the sidebar.
Click Add user/group.
Select a group and assign a role. Do this one group at a time:
- Assign the Viewers group to the Viewer role.
- Assign the Editors group to the Editor role.

Double-check the mappings before saving.

An image showing how to assign groups to the custom app in Microsoft Entra ID

4. Testing and confirmation

Run a Provision on demand test for an assigned user.

Note: You can’t run a provision-on-demand test for a group. Entra ID will prompt you to select up to five users from the assigned groups instead. The outcome should be the same: the user is added to your Workspace with the correct role.

Once the test succeeds, turn on provisioning for the custom app. From now on, any changes you make to users or groups in Entra ID will sync automatically to your Sketch Workspace.

Considerations

If you reach your Editor seat limit, provisioning will appear as successful in Entra ID, but users will be added as Viewers to avoid unwanted extra charges.
If you disable a user in Entra ID, they’ll be deleted from the Workspace. Any documents in their My Drafts folder will move to a restricted folder that Workspace Admins can access.

Existing Entra ID SSO configuration

If you already have SSO configured with Entra ID, you’ll need to delete the Gallery app and create a new custom app to enable SCIM. The Gallery app doesn’t support SCIM provisioning.

Deleting the Gallery app won’t affect existing users or their documents. You don’t need to make any changes in your Sketch Workspace — everything is handled in Entra ID.

Delete the Gallery app

Ask users to sign out of their accounts and quit the Mac app before you delete the app that handles user sign-in.

Sign in to your Entra ID account.
Go to Enterprise apps and select Sketch from the app list.
Open Properties, then select Delete.

An image showing how to delete the Sketch gallery app in Microsoft Entra ID

Once you’ve deleted the Gallery app, go back to step 1 to create the custom app and set up SCIM.

Need more help? See our Support pages
Check out our Design Resources
Join our Community Forum
Any other questions? Get in touch