Skip to main content

Automate with External Systems

Prerequisites
  • Admin account with access rights management permissions
  • Corporate Login enabled for your organization — this is a Bitwards add-on feature that must be set up by Bitwards in cooperation with your IT department
  • Identity Provider (IDP) configured — such as Microsoft Entra ID (formerly Azure Active Directory) or another OAuth 2.0 compatible provider
  • User groups created in the Mobile Access platform with access rights already assigned — see Grant Access Using User Groups or Combine User Groups and Resource Groups

Overview

The Mobile Access platform can automatically manage user group memberships based on your organization's existing identity provider (such as Microsoft Entra ID). Instead of manually adding users to groups and assigning access rights, the system syncs group memberships during user login — new users are added, removed users are cleaned up, and access rights are kept up to date automatically.

How Automatic Provisioning Works

The automation is based on user groups. You set up user groups in Mobile Access with the appropriate access rights, then link each group to its matching group in your identity provider using a System ID and External ID. When a user logs in through Corporate Login, the system reads their group memberships from the identity provider and automatically updates their group memberships in Mobile Access.

What Gets Automated

When automatic provisioning is active, the following updates happen during user login:

  • New user — If the user does not exist in Mobile Access, they can be created automatically and added to the correct user group(s)
  • Group membership added — If the user belongs to a new group in the identity provider, they are added to the matching user group in Mobile Access
  • Group membership removed — If the user has been removed from a group in the identity provider, their membership in the matching Mobile Access group is also removed
Important

Access rights that were assigned manually through the Mobile Access platform interface (not through automatic provisioning) are not removed by the automation process. Only group memberships managed by the identity provider are affected.

Steps

Step 1: Ensure Corporate Login Is Set Up

Automatic provisioning requires the Corporate Login feature to be enabled for your organization. Corporate Login allows users to log in to the Mobile Access app using their existing organization credentials (such as their corporate email and password) instead of a separate Bitwards account.

The Corporate Login setup is a joint process between Bitwards and your organization's IT department. Your IT team needs to provide information about your identity provider (IDP address, domain, authentication method). Contact Bitwards to initiate the setup.

Note

The Corporate Login setup is handled by Bitwards and is not configured through the Mobile Access platform interface. The setup does not include the identity provider configuration on your side — your IT team is responsible for the IDP setup.

Step 2: Create User Groups with Access Rights

Before enabling automation, you need user groups with the correct access rights already configured in Mobile Access. Each user group should represent a role or team in your organization that maps to a group in your identity provider.

  1. Create the user group(s) in Users → User Groups
  2. Assign the appropriate access rights — either individual resources (see Grant Access Using User Groups) or resource groups (see Combine User Groups and Resource Groups)
  3. Verify the access rights are correct before linking to the identity provider

For each user group that should be managed automatically:

  1. Go to Users → User Groups and select the user group
  2. Click the edit button to open the user group details form
  3. Check the "Set system id for the group" checkbox
  4. In the "Select system id for the group" dropdown, select the appropriate system (e.g., azure for Microsoft Entra ID)
  5. In the External ID field, enter the group identifier from your identity provider — this must exactly match the group ID in your IDP system
  6. Click Create or Save to apply the changes
Finding Your IDP Group ID

The External ID must match the group identifier in your identity provider exactly. For Microsoft Entra ID, this is typically a UUID format (e.g., 39b17d4e-1139-4d51-b16c-b629a8bbd1dd). Your IT department can provide the correct group IDs from your Entra ID or other IDP system.

Step 4: Verify the Configuration

After linking a user group, the user group details page will display the System ID and External ID fields with the configured values. Verify that these match the intended group in your identity provider.

How Access Rights Stay Up to Date

Once configured, access rights are updated automatically based on user activity:

  • At first login — When a user logs in through Corporate Login for the first time, the system reads their group memberships from the identity provider and adds them to the matching user groups in Mobile Access. If the user does not exist yet, they can be created automatically.
  • On subsequent use — When a user opens the Mobile Access app and their authentication session is refreshed, the system checks for changes in the identity provider. With Microsoft Entra ID, this typically happens approximately every hour. The refresh process starts when the user activates the application.
tip

If a change is made in the identity provider (for example, a user is moved to a different group), the update in Mobile Access will not happen until the user opens the app and the token refresh occurs. If the user does not use the app, the changes from the identity provider will not be synced.

What's Next

Related How-To Guides:

Platform Reference:

Last updated on