• /
  • Log in
  • Free account

Azure AD SCIM/SSO application configuration

Our automated user management (AUM) allows allows you to import and configure your New Relic users from your identity provider via SCIM. This guide provides Azure AD-specific details on how to configure the New Relic Azure AD SCIM/SSO application.


Before using this guide, read the requirements and procedure overview.

Note that these instructions require going back and forth between your identity provider and New Relic.

Step 1. Create authentication domain and enable SCIM

To get to the New Relic authentication domain UI: From one.newrelic.com, click the account dropdown, click Organization and access, and then click Authentication domains.

If you don't already have one, create a new authentication domain for your SCIM-provisioned users by clicking + Add new.

For that authentication domain, under Source of users, select SCIM. Copy and save the API token for later use. Note that this will be shown only once.

Step 2. Set up Azure's New Relic app

Next, you'll set up Azure's New Relic SAML/SCIM app. Azure AD provides an application gallery, which includes various integrations for Azure AD, including the ones that New Relic offers. To set this up:

  1. Go to the Azure Active Directory admin center, and sign in if necessary. aad.portal.azure.com/
  2. Click on All services in the left hand menu.
  3. In the main pane, click on Enterprise applications.
  4. Click on +New Application.
  5. Find our SCIM/SSO application by entering New Relic in the name search box, and click on the application New Relic by organization (not New Relic by account).
  6. Click on Add.

Step 3. Configure connection

Configure the New Relic SCIM/SSO application to automatically provision your users to New Relic.

  1. From the New Relic SCIM/SSO application page, click on the Provisioning link in the sidebar.
  2. In the main pane, click on Get started.
  3. In the Provisioning Mode pick-list, choose Automatic.
  4. In New Relic's authentication domain UI, set up a new domain with SCIM enabled.
  5. In Azure AD's New Relic SCIM/SSO app, in the Admin credentials section, fill out the Tenant URL and Secret token fields with the values provided in New Relic's authentication domain UI.
  6. To verify you can connect to New Relic, click Test Connection.
  7. When you see a message indicating verification success, click Save.

The New Relic SCIM/SSO application can now connect with New Relic. Continue with the following section to configure the provisioning rules.

Step 4. Configure provisioning rules

Initially, nothing is configured to be sent to New Relic. You must configure Azure AD to send changes for user creation, updates, and deactivation.

Go to the Provisioning page and complete the following:

  1. Expand the Mappings section.

  2. Click Provision Azure Active Directory Users.

  3. Verify the Target Object Actions Create Update and Delete checkboxes are all checked.

  4. Verify the Attribute Mappings look correct for your environment. Each of the New Relic attributes shown in the list must receive a value.


    Ensure that the Azure Active Directory attributes shown in the list on the left are good sources for the information to send to New Relic. In particular, not all environments set the mail attribute. If your environment does not set the mail attribute, userPrincipalName could be a good alternative.

  5. Leave the switch for Enabled set to Off until you're done with the user and group configuration in the next section. Once all configuration is ready, return to this page and set the switch to On.

  6. Click Save.

Here's an example of a filled-in attribute mapping page with the default values. Your values may be configured differently depending on your situation.

Screen capture showing how to set attributes.

After saving the provisioning rules, the New Relic SCIM/SSO application is ready to provision any changes made to users assigned to the application. Continue with the following section to assign users and groups to the New Relic SCIM/SSO application.

Step 5. Downgrade some users to basic

When your users are provisioned in New Relic, you're able to see them in the User management UI.

Users provisioned via your identity provider start out as full users. If your organization is on New Relic One pricing, these users are billable.

To convert users to free basic users, you can use one of two options:

Step 6. Assign access grants

Once these steps are completed, you should be able to see your users in New Relic by going to the User management UI. Now that your users are present in New Relic, you must grant them access to specific roles on specific accounts. If this is not done, your users don't yet have access to New Relic. To learn how to do this, see:

Step 7. Configure SAML SSO

To enable SAML SSO for your users, see the SAML instructions.

For more help

If you need more help, check out these support and learning resources:

Create issueEdit page
Copyright © 2021 New Relic Inc.