All Collections
Single Sign-on
AzureAD (Office365) - Mapping Roles to Lawvu Roles via SSO
AzureAD (Office365) - Mapping Roles to Lawvu Roles via SSO

This guide describes creating custom roles and the attribute mapping required for SCIM provisioning.

Martin Walzak avatar
Written by Martin Walzak
Updated this week

In this article:

At the moment, we are facing problems related to role provisioning and our Gallery App. Microsoft has released this app with incorrect attributes that cannot be modified. If you need to use role provisioning, it will be necessary to configure the app manually. LawVu has prepared a guide that can assist you with this process. The configuration takes about 15 minutes following our guide.


LawVu provides the ability to map your AzureAD roles into LawVu roles. This enables the configuration of access roles via the existing IT tools, which ensures central management of users and permissions. To utilize automatic role mapping in your LawVu app, both steps will need to be completed and configured in your Azure AD app.

Restrictions after implementation

Configuring SCIM role provisioning will disable the ability to change and assign roles within the LawVu platform. The legal team member with administrative access usually does this task manually in LawVu.

Please liaise with your legal team and clarify how roles should be assigned in LawVu before configuring the next step.

Please also note that once you enable Roles in Azure under the LawVu application, then you MUST assign a role to each user or group added to the application. This is by Microsoft design and not driven by the LawVu app.


You will require administrator access to your AzureAD (Office365) tenant and also be in touch with a LawVu technical contact in order to create the mapping in LawVu.

Known Issues:

Please take note of the potential issue that might arise during role configuration and group assignment to applications. Misconfigurations can lead to quarantine errors, resulting in a halt to user provisioning.

Role Assignment: Azure allows roles to be assigned to both individuals and groups. However, this introduces a risk explained below.

Role Reusability Limitation: Application roles cannot be used in multiple instances when a group and an individual user are involved. This situation arises when a user is assigned to the application and is also a member of a group that has been assigned to the same application.

Solution: When utilising role provisioning, remember that Azure enforces a constraint on role reuse, allowing a user to be assigned only once to an application. This understanding can help you navigate the challenges effectively.

Please see below error message that will be logged if the configuration is incorrect.

AzureAD - Role creation and user assignment

Access the Enterprise app Lawvu and select “Users and Groups”. Click on “Application Registration”. Please note below the role assigned to a test user, which shows as “User” by default.

Click on “Create App Role” and create your LawVu roles here. The names don’t have to mirror the LawVu role names. The below four LawVu roles are available for mapping:

  • Administrator

  • In House Legal

  • Contributor

  • Standard User

Go back to your LawVu app and to “Users and Groups”. Add a user or a group and assign a role.

Add a user or group, select the required role and apply.

Please note how the role assignment changed for our assigned user.

You can also change the role for an already existing user account or group under the app. Go to “Users and Groups”. Tick the box next to the user account and click on “Edit Assignment”

Select the role as in the previous steps and assign to user.

AzureAD - Role attribute mapping for SCIM provisioning.

Create a custom attribute mapping for roles under Provisioning. Click on "Edit attribute mapping"

Expand Mappings and click on Provisioning AzureAD Users.

Scroll down and add new mapping

Create a new custom attribute mapping with below values.

Type: Expression

Expression: AppRoleAssignments([appRoleAssignments])

Target attribute: roles[primary eq “True”].value

Ensure to save your new settings and provide all newly created User roles to the LawVu technical team. All roles must be mapped on the backend of your LawVu configuration by a LawVu support team member. Without this mapping, at the backend, the roles will not apply to any of your accounts.

Reporting a problem

Before submitting a problem report, kindly review ALL the settings mentioned above. If the problem continues, please reach out to our support team for further assistance.

Did this answer your question?