Manage seats via SCIM using Microsoft Entra ID
In this guide, you'll learn how to manage seats in Figma using Microsoft Entra ID (formerly Azure Active Directory or Azure AD). To get started, follow the steps below:
- Configure App roles for Figma Entra Gallery app
- Add custom attributes
- Map custom attributes to App roles
- Setup security groups for member role setting
- Test user provisioning
Caution: Make sure you have installed the Figma Application from the Microsoft Entra Gallery. Creating your own custom application won't work for this process.
Configure App roles for Figma Entra Gallery app
- Open the Figma Enterprise App Template in Entra ID under App registrations. You may have to select the ‘All applications’ tab to find Figma.
- Navigate to the App Roles section.
- Create a new App Role called Figma Full | FigJam Viewer Restricted.
- Set the Allowed member types to Users/Groups.
- Set the Value to FigmaFullFigJamViewerRestricted.
- Add a description.
- Click Apply to save the app role.
- Repeat this process for the other five roles for a total of six new app roles.
Display name | Value | Description |
Figma Full | FigJam Viewer Restricted | FigmaFullFigJamViewerRestrictedDevModeFull | Figma Full permission and Figjam Viewer Restricted (Dev Mode Inherited) |
Figma Full | FigJam Full | FigmaFullFigJamFullDevModeFull | Figma Full, Figjam Full and Dev Mode Full |
Figma Viewer Restricted | FigJam Full | Dev Mode Viewer Restricted | FigmaViewerRestrictedFigJamFullDevModeViewerRestricted | Figma Viewer Restricted, Figjam Full and DevMode Viewer Restricted |
Figma Viewer Restricted | FigJam Viewer Restricted | Dev Mode Full | FigmaViewerRestrictedFigJamViewerRestrictedDevModeFull | Figma Viewer Restricted, FigJam Viewer Restricted and Dev Mode Full |
Figma Viewer Restricted | FigJam Full | Dev Mode Full | FigmaViewerRestrictedFigJamFullDevModeFull | Figma Viewer Restricted, FigJam Full and Dev Mode Full |
Figma Viewer Restricted | FigJam Viewer Restricted | Dev Mode Viewer Restricted |
FigmaViewerRestrictedFigJamViewerRestrictedDevModeViewerRestricted |
Figma Viewer Restricted, Figjam Viewer Restricted and Dev Mode Viewer Restricted |
Add custom attributes
- You must enable the creation of custom attributes for the Figma Application on Microsoft Entra ID. To do so, use the following link to open the Microsoft Entra ID portal with the schema full enabled: https://portal.azure.com/?Microsoft_AAD_Connect_Provisioning_forceSchemaEditorEnabled=true#view/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/~/AppAppsPreview/menuId~/null
- Open the Figma Enterprise App.
- Navigate to the Provisioning section.
- Click Edit attribute mappings.
- Ensure the Tenant URL and Secret Token are working by entering the correct values and clicking Test Connection.
- Expand the Mappings section and select Provision Microsoft Entra ID Users.
- Scroll to the bottom of the page and select Show advanced options.
- Select Edit attribute list for Figma . If these options are not available to you, open the Microsoft Entra ID portal using the following URL: Microsoft Entra ID portal with schema full enabled.
- Add a custom attribute called urn:ietf:params:scim:schemas:extension:figma:enterprise:2.0:User:figmaPermission and set the data type to string.
- Add a custom attribute called urn:ietf:params:scim:schemas:extension:figma:enterprise:2.0:User:figjamPermission and set the data type to string.
- Add a custom attribute called urn:ietf:params:scim:schemas:extension:figma:enterprise:2.0:User:devModePermission and set the data type to string.
- Save the new configuration and click Save then Yes.
Map custom attributes to App roles using expression language
Configure the member role for Figma
- Open the Figma Enterprise App.
- Navigate to the Provisioning section.
- Click Edit attribute mappings
- Expand Mappings and select Provision Microsoft Entra ID Users.
- Click Add New Mapping.
- Set the Mapping type to Expression and set the Expression to Switch(SingleAppRoleAssignment([appRoleAssignments]), "", "Figma Full | FigJam Viewer Restricted", "full", "Figma Full | FigJam Full", "full", "Figma Viewer Restricted | FigJam Viewer Restricted | Dev Mode Viewer Restricted", "viewerRestricted", "Figma Viewer Restricted | FigJam Viewer Restricted | Dev Mode Full", "viewerRestricted", "Figma Viewer Restricted | FigJam Full | Dev Mode Full", "viewerRestricted", "Figma Viewer Restricted | FigJam Full | Dev Mode Viewer Restricted", "viewerRestricted")
- Set the Target attribute to urn:ietf:params:scim:schemas:extension:figma:enterprise:2.0:User:figmaPermission and set Apply this mapping to Always.
- Click OK to save.
Configure the member role for FigJam
- Add a new mapping.
- Set the Mapping type to Expression and set the Expression to Switch(SingleAppRoleAssignment([appRoleAssignments]), "", "Figma Full | FigJam Viewer Restricted", "viewerRestricted", "Figma Full | FigJam Full", "full", "Figma Viewer Restricted | FigJam Viewer Restricted | Dev Mode Viewer Restricted", "viewerRestricted", "Figma Viewer Restricted | FigJam Viewer Restricted | Dev Mode Full", "viewerRestricted", "Figma Viewer Restricted | FigJam Full | Dev Mode Full", "full", "Figma Viewer Restricted | FigJam Full | Dev Mode Viewer Restricted", "full")
- Set the Target attribute to: urn:ietf:params:scim:schemas:extension:figma:enterprise:2.0:User:figjamPermission and set Apply this mapping to Always.
- Click OK to save.
Configure the member role for Dev Mode
- Add a new mapping.
- Set the Mapping type to Expression and set the Expression to: Switch(SingleAppRoleAssignment([appRoleAssignments]), "", "Figma Full | FigJam Viewer Restricted", "full", "Figma Full | FigJam Full", "full", "Figma Viewer Restricted | FigJam Viewer Restricted | Dev Mode Viewer Restricted", "viewerRestricted", "Figma Viewer Restricted | FigJam Viewer Restricted | Dev Mode Full", "full", "Figma Viewer Restricted | FigJam Full | Dev Mode Full", "full", "Figma Viewer Restricted | FigJam Full | Dev Mode Viewer Restricted", "viewerRestricted")
- Set the Target attribute to: urn:ietf:params:scim:schemas:extension:figma:enterprise:2.0:User:devModePermission and set Apply this mapping to Always.
- Click OK to save.
- Back on the Attribute Mapping page, click Save to confirm your changes.
Set up security groups for member role setting
- Navigate to AD Groups.
- Create a New group called Figma Full | FigJam Viewer Restricted.
- Click Create to save the security group.
- Open the Figma Enterprise App.
- Navigate to Users and groups.
- Click Add user/group.
- Set the Group name to the group Figma Full | FigJam Viewer Restricted.
- Set the Select a role to the app role Figma Full | FigJam Viewer Restricted.
- Click Assign.
- Create five additional groups with corresponding app roles for a total of six groups.
Group name | App role |
Figma Full | FigJam Viewer Restricted | Figma Full | FigJam Viewer Restricted |
Figma Full | FigJam Full | Figma Full | FigJam Full |
Figma Viewer Restricted | FigJam Viewer Restricted | Dev Mode Viewer Restricted | Figma Viewer Restricted | FigJam Viewer Restricted | Dev Mode Viewer Restricted |
Figma Viewer Restricted | FigJam Viewer Restricted | Dev Mode Full | Figma Viewer Restricted | FigJam Viewer Restricted | Dev Mode Full |
Figma Viewer Restricted | FigJam Full | Dev Mode Full | Figma Viewer Restricted | FigJam Full | Dev Mode Full |
Figma Viewer Restricted | FigJam Full | Dev Mode Viewer Restricted | Figma Viewer Restricted | FigJam Full | Dev Mode Viewer Restricted |
Test user provisioning
Note: Before testing your mapping, remember to assign a test user to one of the groups.
- Open the Figma Enterprise App.
- Navigate to the Provisioning section.
- Click Provision on demand.
- Select a user to test provisioning with.
Click Provision.