diff --git a/docs/sso-rbac/sso-providers/_scim_functionality_list.mdx b/docs/sso-rbac/sso-providers/_scim_functionality_list.mdx
index d86973a8c9..3173b90111 100644
--- a/docs/sso-rbac/sso-providers/_scim_functionality_list.mdx
+++ b/docs/sso-rbac/sso-providers/_scim_functionality_list.mdx
@@ -1,9 +1,16 @@
-### Functionality enabled by SCIM
+ Functionality enabled by SCIM
By enabling SCIM the following functionality will be enabled:
- Automatic deprovisioning of users (for example, when a user is unassigned from the SSO application, that user will automatically lose access to Port).
-### Limitations
+ Limitations
-- SCIM is currently only supported for customers with a single workspace.
\ No newline at end of file
+- **Does not support user provisioning** - Only deprovisioning is supported; users must be created manually or through SSO login.
+- **Does not sync user attribute updates** - Changes to user profiles in your identity provider will not automatically update in Port.
+- **Does not support group provisioning** - Group membership changes in your identity provider are not synchronized via SCIM.
+- **Does not provide real-time sync** - SCIM operations may have delays and are not instantaneous.
+- **Does not support custom user attributes** - Only standard user fields are processed during deprovisioning.
+- **Only supported for customers with a single workspace** - SCIM is not available for multi-workspace setups.
+
+For full user and group synchronization, rely on the SSO login process rather than SCIM.
diff --git a/docs/sso-rbac/sso-providers/oidc/azure-ad.md b/docs/sso-rbac/sso-providers/oidc/azure-ad.md
index 0518b8601a..c42ef8e28a 100644
--- a/docs/sso-rbac/sso-providers/oidc/azure-ad.md
+++ b/docs/sso-rbac/sso-providers/oidc/azure-ad.md
@@ -1,7 +1,7 @@
---
title: "Microsoft Entra ID (AzureAD)"
sidebar_position: 1
-description: Integrate AzureAD with Port
+description: Integrate AzureAD with Port using OIDC
---
import ScimFunctionality from "/docs/sso-rbac/sso-providers/\_scim_functionality_list.mdx"
@@ -10,279 +10,265 @@ import SSOEndpoints from "/docs/generalTemplates/_sso_auth0_endpoints.md"
# How to configure AzureAD
-Follow this step-by-step guide to configure the integration between Port and Azure Active Directory.
+This guide demonstrates how to configure Single Sign-On (SSO) integration between Port and Microsoft Entra ID (AzureAD) using OIDC.
-:::info
-In order to complete the process you will need to contact us to receive the information you require, as well as the [information Port requires from you](https://docs.port.io/sso-rbac/sso-providers/oidc/azure-ad#step-6-providing-the-application-information-to-port). Read below for more information.
+Once implemented:
+- Users can connect to Port via an AzureAD app.
+- AzureAD teams will be automatically synced with Port upon user sign-in.
+- You can set granular permissions in Port according to your AzureAD groups.
-:::
-
-## Port-AzureAd integration benefits
-
-- Connect to the Port application via an AzureAD app.
-- Your AzureAD teams will be automatically synced with Port upon a user sign-in.
-- Set granular permissions on Port according to your AzureAD groups.
-
-## How to configure a Port application in Azure AD
+## Prerequisites
-:::info
+Before starting the configuration, ensure you have:
-**Prerequisites**
-
-To make the **Port** app connection work, users who have access need to have a legal value in their `Email` field in Azure AD.
+- Access to the Microsoft Azure Portal with permissions to create and configure applications.
+- Users who need access to Port must have a valid value in their `Email` field in Azure AD.
+- Contact information ready to share with Port support team for the final configuration steps.
+:::info Contact us
+To complete the process you will need to contact us to receive the information you require, as well as provide Port with specific application details outlined in this guide.
:::
-### Step #1: Register a new application
+## Register a new application
+
+ Create the application registration
1. In the Microsoft Azure Portal, go to `Azure Active Directory`.
2. Click on `App registrations`.
- 
+ 
-3. Click on `New registration` at the top of the page
+3. Click on `New registration` at the top of the page.
- 
+ 
4. Define the Port application settings:
- 4.1 `Name`: Insert a friendly name for the Port app, like `Port`.
+ 4.1 **Name**: Insert a friendly name for the Port app, like `Port`.
- 4.2 `Supported account types`: Please select the option that is appropriate for your organization.
+ 4.2 **Supported account types**: Please select the option that is appropriate for your organization.
- :::note
For most use cases this would be **Accounts in this organizational directory only (Default Directory only - Single tenant)**.
- :::
-
- 4.3 `Redirect URI`:
- - Set `Platform` to `Web`.
- - Set `URL` to `https://auth.getport.io/login/callback`.
+ 4.3 **Redirect URI**:
+ - Set `Platform` to `Web`
+ - Set `URL` to `https://auth.getport.io/login/callback`
- 
+ 
+
4.4 Click `Register`.
- 4.5 On the new Port App page, click `Authentication`.
+ Configure authentication settings
- 
+1. On the new Port App page, click `Authentication`.
- 4.6 `Front-channel logout URL`: paste the following URL:
+ 
+
+2. Add the **Front-channel logout URL**: paste the following URL:
```text showLineNumbers
https://auth.getport.io/logout
```
- :::tip single sign-out
- Adding the front-channel logout URL will enable single sign-out, meaning when a user logs our from Port, it also logs him out from his identity provider.
- :::
+ Adding the front-channel logout URL will enable single sign-out, meaning when a user logs out from Port, it also logs them out from their identity provider.
- 
+ 
- 4.7 Click `Save`.
+3. Click `Save`.
-### Step #2: Customize your Port app with Login URL and Logo
+## Configure application branding
-1. On the new Port App page, click `Branding & Properties`.
+1. On the new Port App page, click `Branding & Properties`.
- 
+ 
- 1.1 `Home page URL`: paste the following URL:
+2. Configure the following settings:
-
+ 2.1 **Home page URL**: paste the following URL:
- :::note
- We will provide your `{CONNECTION_NAME}` (Contact us using chat/Slack/mail to [support@getport.io](mailto:support@getport.io)).
- :::
+
- 1.2 Add the Port logo (optional):
+ We will provide your `{CONNECTION_NAME}` (Contact us using chat/Slack/mail to [support@getport.io](mailto:support@getport.io)).
- 
+ 2.2 **Publisher domain**: Select the domain matching your user emails (for example `getport.io`).
- 1.3 `Publisher domain`: Select the domain matching **your** user emails (for example `getport.io`).
+ 
- 
+3. Click `Save`.
- 1.4 Click `Save`.
+## Set up application permissions
-### Step #3: Configuring the application permissions
+ Add required permissions
1. On the Port App page, click `API Permissions`.
- 
+ 
-2. Click `Add a permission`:
+2. Click `Add a permission`.
- 
+ 
3. On the `Microsoft APIs` tab:
- 3.1 Click on `Microsoft Graph`
+ 3.1 Click on `Microsoft Graph`.
- 
+ 
- 3.2 Click on `Delegate Permissions`
+ 3.2 Click on `Delegate Permissions`.
- 
+ 
3.3 Search and mark the following permissions:
+ - `email`, `openid`, `profile`, `User.read`
- - `email`, `openid`, `profile`, `User.read`.
+
-
- :::info AzureAD groups
- If you wish to pull in AzureAD groups into Port, you will also need to add the `Directory.Read.All` permission. See [Permissions required to pull AzureAD groups to Port](#permissions-required-to-pull-azuread-groups-to-port).
+ :::info AzureAD groups integration
+ If you wish to pull in AzureAD groups into Port, you will also need to add the `Directory.Read.All` permission.
+ See [Permissions required to pull AzureAD groups to Port](#enable-azuread-groups-integration) for more details.
:::
- 
+
+
+ 
3.4 Click `Add permissions`.
- :::note
+ :::info Grant admin consent
(OPTIONAL) `Grant admin consent`: when users from your organization will first log in, they will be prompted to confirm the permissions specified here. You can click the `Grant admin consent for Default Directory` to automatically approve their permissions.
:::
-### Step #4: Configuring the application claims
-1. On the Port App page, click `Token configuration`:
- 
+## Configure application claims
-2. Click `Add optional claim`:
+ Add optional claims
- 
+1. On the Port App page, click `Token configuration`.
-3. Select `ID` as the token type and then select the `email` claim, then click `Add`:
+ 
- 
+2. Click `Add optional claim`.
- :::note
- Repeat the same process for `Access` and `SAML` (3 times total).
- :::
+ 
-4. Your optional claims will look like this:
+3. Select `ID` as the token type and then select the `email` claim, then click `Add`.
- 
+ 
-### Step #5: Configuring application secret
+ Repeat the same process for `Access` and `SAML` (3 times total).
-1. On the Port App page, click `Certificates & Secrets`:
+4. Your optional claims will look like this:
- 
+ 
-2. On the `Client secrets` tab, click the `New client secret` button:
+## Generate application secret
- 
+ Create client secret
- 2.1 `Description`: Enter a secret description, for example `Port Login Client Secret`.
+1. On the Port App page, click `Certificates & Secrets`.
- 2.2 `Expires`: Select when will the secret expires.
+ 
- :::danger
- Be sure to mark on your calendar the expiration date of the secret. The secret needs to be replaced before its expiration, otherwise login to Port will be disabled.
- :::
+2. On the `Client secrets` tab, click the `New client secret` button.
- 2.3 Click `Add`.
+ 
- A secret will be created and its Value will appear as shown in the image below. Immediately document the secret’s value because we will need it for our next step.
+3. Configure the secret:
- :::danger COPY YOUR SECRET NOW
- Be advised that your secret will never appear again after you leave this page.
- :::
+ 3.1 **Description**: Enter a secret description, for example `Port Login Client Secret`.
- 
+ 3.2 **Expires**: Select when the secret expires.
-### Step #6: Providing the application information to Port
+ Be sure to mark on your calendar the expiration date of the secret. The secret needs to be replaced before its expiration, otherwise login to Port will be disabled.
-Port needs the following information for this process:
+ 3.3 Click `Add`.
-- The `Client Secret` value that you created on [Step 5: Configuring application secret](#step-5-configuring-application-secret).
-- The `Application (Client) ID`, which appears on the Port application overview page:
+4. **Copy the secret immediately**: A secret will be created and its Value will appear as shown in the image below. Document the secret's value immediately because it will never appear again after you leave this page.
-
+ 
-:::note
-**Port** will provide you the `CONNECTION_NAME` needed for the homepage URL of the App, as described on [Step 2](#step-2-customize-your-port-app-with-login-url-and-logo).
-:::
+## Provide application information to Port
-### Step #7: Exposing the application to your organization
+Port needs the following information to complete the integration:
-1. Assigning the App to organization users and groups
+- The `Client Secret` value that you created in the previous step.
+- The `Application (Client) ID`, which appears on the Port application overview page:
- After the app setup is complete, you can proceed to assign it to your organization’s users and groups, by distributing it in your organization:
+
- 1.1 Go to `Azure Active Directory`.
+Port will provide you the `CONNECTION_NAME` needed for the homepage URL of the App.
- 1.2 Go to `Enterprise Applications`:
+## Distribute the application to users
- 
+ Assign users and groups
-2. Click on the Port app:
+After the app setup is complete, you can assign it to your organization's users and groups:
- 
+1. Go to `Azure Active Directory`.
-3. Click on `Users and Groups`:
+2. Go to `Enterprise Applications`.
- 
+ 
-4. Click `Add user/group`:
+3. Click on the Port app.
- 
+ 
- 4.1 Select users and groups you want to grant access to Port.
+4. Click on `Users and Groups`.
- 4.2 Click `Assign`.
+ 
-5. Make the Port application visible on the `myapplications` page:
+5. Click `Add user/group`.
- 5.1 Go to `Azure Active Directory`.
+ 
- 5.2 Go to `Enterprise Applications`.
+6. Select users and groups you want to grant access to Port, then click `Assign`.
- 5.3 Click on the Port app.
+ Make the application visible
- 5.4 Click on `Properties`:
+1. Go to `Azure Active Directory` > `Enterprise Applications` > Port app.
- 
+2. Click on `Properties`.
- 5.5 Set the application properties:
+ 
+3. Set the application properties:
- Mark `Enabled for users to sign-in?` as `Yes`.
-
- Mark `Visible to users?` as `Yes`.
- :::note
- By default the `Assignment required?` flag is set to `No`, meaning any user with the Homepage URL to the Port app can access it, even if the app isn’t directly assigned to them.
- Changing the flag to `Yes` means only users and groups the app is directly assigned to can use and access it.
-
+
+ :::info Assignment required?
+ By default the `Assignment required?` flag is set to `No`, meaning any user with the Homepage URL to the Port app can access it, even if the app isn't directly assigned to them. Changing the flag to `Yes` means only users and groups the app is directly assigned to can use and access it.
:::
- 
+
- You should see the Port app on the [https://myapplications.microsoft.com](https://myapplications.microsoft.com) dashboard:
+ 
- 
+4. You should see the Port app on the [https://myapplications.microsoft.com](https://myapplications.microsoft.com) dashboard:
- :::note manual URL based login
- Users can also manually access Port by going to the App Homepage URL (The URL configured in [step 1.1](#step-2-customize-your-port-app-with-login-url-and-logo) here).
- :::
+ 
+
+Users can also manually access Port by going to the App Homepage URL.
+
+## Multiple Azure AD SSO connections
-:::warning Multiple Azure AD SSO connections
-In case you have multiple Port environments, it is possible to setup an OIDC Azure AD SSO connection for each of those environments.
+If you have multiple Port environments, it is possible to setup an OIDC Azure AD SSO connection for each environment.
-However, note that in this instance you **will not** be able to use Port's main login page to reliably sign in to a specific environment, when you enter your email address to login, it will take you to one of your Port environments but it is not guaranteed to take you to the same Port environment every time.
+However, note that in this instance you **will not** be able to use Port's main login page to reliably sign in to a specific environment. When you enter your email address to login, it will take you to one of your Port environments but it is not guaranteed to take you to the same Port environment every time.
In that case you have the following options:
- Use the [https://myapplications.microsoft.com](https://myapplications.microsoft.com) dashboard provided by Azure AD and select the desired Port environment to connect to.
-- Use the manual login URL for each environment directly, by specifying the desired environment based on its respective `CONNECTION_NAME` value
- :::
+- Use the manual login URL for each environment directly, by specifying the desired environment based on its respective `CONNECTION_NAME` value.
-## Permissions required to pull AzureAD groups to Port
+## Enable AzureAD groups integration
-Port can query the group membership of users who log in through the AzureAD SSO, and add their teams as team entities inside Port. This allows the platform engineers to take advantage of both existing groups from AzureAD and teams created manually inside Port to manage permissions and access to resources inside Port's catalog.
+Port can query the group membership of users who log in through the AzureAD SSO, and add their teams as team entities inside Port. This allows platform engineers to take advantage of both existing groups from AzureAD and teams created manually inside Port to manage permissions and access to resources inside Port's catalog.
-**Important:** In order to import Azure AD groups into Port, Port will require the connection app to approve the `Directory.Read.All` permission
+In order to import Azure AD groups into Port, Port will require the connection app to approve the `Directory.Read.All` permission.
## SCIM Configuration (beta)
@@ -292,14 +278,14 @@ Entra ID (AzureAD) OIDC applications support [SCIM](https://auth0.com/docs/authe
-### Setup SCIM
+ Set up SCIM
To set up SCIM for Entra ID OIDC based applications, contact Port's support team.
You will be provided with:
-- An SCIM `endpoint`
-- An SCIM `token`
+- An SCIM `endpoint`.
+- An SCIM `token`.
The `endpoint` and `token` will be used to set up the SCIM integration in your identity provider.