Introduction
If you are using Azure for SSO, Focus provides two ways to manage user provisioning and roles:
- Role claims via SAML β Users are dynamically added to Focus on their first SSO login (just-in-time provisioning), and their role is automatically set based on a SAML role claim.
- Entra Sync app β Users are pre-synced into Focus ahead of their first login, allowing you to configure Focus group access and other settings before they log in.
You can use either or both of these approaches together.
If you use different tenants for recorded people (Subscribers) and logged in users, this is also supported β please make sure you let your onboarding team know that this is required during setup.
Option 1: Role Claims via SAML (Just-in-Time Provisioning)β
When a user logs in via SSO for the first time, they are automatically added to Focus. If role claims are configured, their role is set based on the claim value sent from Azure on every login.
How it worksβ
Focus reads the role from the following SAML claim:
http://schemas.microsoft.com/ws/2008/06/identity/claims/role
This is the default role claim used by Microsoft Entra ID. When a user logs in via SSO, Focus checks for this claim in the SAML response:
- If a role claim is sent, the user's Focus role is set to match the claim value on every login.
- If no role claim is sent, the user's existing role in Focus is preserved (or Standard User if they are new).
Setupβ
To configure role-based sync, you need to add app roles in your Azure Enterprise Application and assign them to users.
1. Define App Rolesβ
- In the Azure portal, navigate to your Enterprise Application (the one created for Focus SSO).
- Go to App registrations and find the corresponding app registration.
- Select App roles from the left menu.
- Create roles using the allowed values from the table below.
2. Assign Roles to Usersβ
- Go back to the Enterprise Application.
- Navigate to Users and groups.
- Assign users and select the appropriate role for each user or group.
Allowed Role Valuesβ
The following role claim values are recognised by Focus:
| Role Claim Value | Description |
|---|---|
SuperUser | Full account admin |
AdminUser | User and account management |
ComplianceUser | Read-focused access, reporting and downloads |
Supervisor | Team oversight |
TeamLeader | User management plus standard user access |
GeneralUser | Standard user |
BasicUser | Same as GeneralUser |
PlaylistUser | Playlist access only |
Make sure the role value configured in Azure matches exactly as shown in the table above (e.g. SuperUser not superuser).
You only need to configure the roles you intend to use β not every role is required.
Option 2: Entra Sync App (Pre-Provisioning)β
The Entra Sync app allows Focus to pre-sync users from Azure into Focus before they log in for the first time. This is useful if you need to:
- Assign users to Focus groups for content access control
- Configure user settings ahead of time
- Have users ready and visible in the Focus admin screens before they start using the platform
How it worksβ
Once authorized, the Entra Sync app reads your users from Azure and syncs them into Focus every 30 minutes. Users will appear in the Focus People screen and can be assigned to groups, given permissions, and configured before their first login.
Setupβ
To enable the Entra Sync app, you must authorize it to read your users.
As part of the Teams onboarding flow this can be automatically enabled. If you are not using Teams recording or want to enable this post onboarding, please ask your support team to provide a link to the application for authorization.
Using both options togetherβ
You can use the Entra Sync app to pre-provision users into Focus and configure role claims to automatically set their role on login. This gives you the best of both worlds β users are ready in Focus ahead of time, and their role stays in sync with Azure on every login.