Skip to main content
Calico Cloud documentation

Give role-based access to an Entra ID group

If you have Microsoft Entra ID configured as your identity provider, you can define role-based access in Calico Cloud and assign that role to an Entra ID (formerly Azure AD) security group. By managing membership in that security group, you can manage role-based access to Calico Cloud directly from your identity provider portal.

Prerequisites

  • You have owner or administrator permissions to the Calico Cloud Manager UI.
  • You set up Entra ID as your identity provider for Calico Cloud. To set up an identity provider for Calico Cloud, open a support ticket.
  • You have administrator permissions for your organization in the Azure Portal.
  • You have the Object ID for an Entra ID security group.
  • The Email property for all users in the security group has a valid email address.

Procedure

  1. In Manager UI, click the user icon > Manage Team.
  2. Under the Roles tab, click Add Role and enter a name and description for the custom role. Under IdP Group Identifier, enter your Entra ID security group's Object ID and click Save.
    note

    If you don't see IdP Group Identifier, open a support ticket to enable this option.

  3. To add permissions, locate your new role under the Roles tab, select Action > Manage permissions > Edit, and then click Add Permission.
  4. Under Permission, choose a permission type from the list. Depending on the permission, you may also need to choose a namespace or policy tier.
  5. (optional) Click Add permission to add more permissions to your role for this cluster.
  6. Click Save to save these permissions to the role for this cluster.