Skip to main content

Netskope Help

Define Custom Roles for Azure Active Directory Enterprise Application

When using SSO, Netskope can take an admin-role attribute as part of the SAML assertion. If no attribute is passed, the username will be checked against the local Netskope user database and that role will be assigned. If there is no local user, then the login will fail, and the user will receive a SAML error.

To pass a role from Azure Active Directory to Netskope follow the instructions below. These steps can also be performed using the Microsoft Graph API as outlined here: How to: Configure the role claim issued in the SAML token for enterprise applications

If you prefer using the Azure Portal, follow these steps:

  1. Login to the Azure Portal.

  2. Select Azure Active Directory and then App Registrations:

  3. Select the application you created, then go to Manifest:

  4. Under the appRoles section, you need to add another user object with the value for the role name.

  5. Add definitions for as many roles as you need. The string provided in the value field is passed to Netskope as the role. You will need to generate a unique GUID for each role in the ID field. You can generate a GUID using tools like this one:

    An example role definition is below:



    Azure AD does not support spaces in the value field. You will need to clone admin roles in Netskope or create new ones to have role names without spaces.

  6. After defining all the roles you need, click Save. If the Save button is grayed-out, then the manifest has an error or is not formatted correctly.

  7. You can now assign this role to a user and their Netskope role will be passed to Netskope during the SSO process.