Overview

Entra ID RBAC allows you to manage Cloudmersive organization membership and role assignments directly from your Microsoft Entra ID tenant. By connecting your Entra ID tenant to your Cloudmersive organization, you can assign users to Cloudmersive roles in Entra ID and sync those assignments to Cloudmersive.

Note that this is not required for Entra ID SSO. Entra ID SSO works out of the box with no configuration. You can log in to Cloudmersive with Entra ID for SSO without performing these steps. This guide is an overview of how to enable Role-based Access Control in Entra ID for Cloudmersive Organizations, instead of managing the permissions through Cloudmersive Access Management. This enables you to configure permissions entirely in Entra ID.

Prerequisites

• You must be the Master Administrator of your Cloudmersive organization.
• Your account must have the Entra ID RBAC entitlement provisioned by your Cloudmersive Account team. Contact your Cloudmersive Account team to enable this entitlement before proceeding.
• You must have Global Administrator or Application Administrator access in your Microsoft Entra ID tenant.

Available Roles

Two roles can be assigned through Entra ID RBAC:

• Entra ID Role: Cloudmersive Administrator
  Cloudmersive Role: Administrator
  Description: Can manage users, API keys, and organization settings

• Entra ID Role: Cloudmersive Viewer
  Cloudmersive Role: Viewer (Read-Only)
  Description: Can view organization resources with read-only access

The Master Administrator role cannot be assigned or modified through Entra ID RBAC. The Master Administrator is always preserved and unaffected by sync operations.

Step 1: Register an Application in Entra ID

1. Sign in to the Microsoft Entra admin center.

2. Navigate to Microsoft Entra ID > App registrations > New registration.

3. Configure the registration:

   • Name: "Cloudmersive RBAC Integration" (or any name you prefer)
   • Supported account types: "Accounts in this organizational directory only"
   • Redirect URI: Leave blank (not needed)

4. Click Register.

5. On the Overview page, copy the Application (client) ID and Directory (tenant) ID. You will need these later.

Step 2: Create a Client Secret

1. In your app registration, go to Certificates & secrets > Client secrets > New client secret.
2. Add a description and select an expiration period.
3. Click Add.
4. Copy the Value immediately. It will not be shown again.

Step 3: Grant API Permissions

1. In your app registration, go to API permissions > Add a permission > Microsoft Graph > Application permissions.

2. Add the following permissions:

   • Application.Read.All
   • AppRoleAssignment.ReadWrite.All

3. Click Grant admin consent for [your organization] and confirm.

Step 4: Define App Roles

1. In your app registration, go to App roles > Create app role.

2. Create the first role:

   • Display name: Cloudmersive Administrator
   • Value: Cloudmersive.ChildAdministrator
   • Description: Cloudmersive organization administrator role
   • Allowed member types: Users/Groups

3. Create the second role:

   • Display name: Cloudmersive Viewer
   • Value: Cloudmersive.Viewer
   • Description: Cloudmersive organization viewer role
   • Allowed member types: Users/Groups

The role Value fields must match exactly as shown above.

Step 5: Get the Service Principal Object ID

1. In the Entra admin center, navigate to Enterprise applications.
2. Find and click on the application you registered in Step 1.
3. On the Overview page, copy the Object ID. This is the Service Principal Object ID, which is different from the Application (client) ID.

Step 6: Assign Users to Roles

1. In the Enterprise application (not the App registration), go to Users and groups > Add user/group.
2. Select the users or groups you want to assign.
3. Select the appropriate role (Cloudmersive Administrator or Cloudmersive Viewer).
4. Click Assign.

Repeat this process for all users who should have access to your Cloudmersive organization.

Step 7: Enable Entra ID RBAC in Cloudmersive

1. Sign in to your Cloudmersive account.

2. Navigate to Access Management > Organization and select your organization.

3. Click Enable Entra ID Role-based Access Control.

4. Enter the credentials you collected during the previous steps:

   • Tenant ID (Directory ID from Step 1)
   • Client ID (Application ID from Step 1)
   • Client Secret (Value from Step 2)
   • Service Principal Object ID (Object ID from Step 5)

5. Click Test Credentials to verify your configuration. A successful test confirms that your credentials are valid and the required permissions have been granted.

6. Click Enable Entra ID RBAC to complete the setup.

Your client secret is stored encrypted and is never displayed after entry.

Syncing Role Assignments

After enabling Entra ID RBAC, you can sync role assignments from Entra ID to your Cloudmersive organization:

1. On the organization management page, click Sync Entra ID Now.

2. Review the sync preview, which shows:

   • Total users with Cloudmersive roles assigned in Entra ID
   • Breakdown by Administrator and Viewer roles
   • Number of existing members that will be updated
   • Number of existing members that will be removed

3. Click Sync Now to apply the changes.

When a sync is performed:

• Users assigned roles in Entra ID who have a Cloudmersive account will be added to your organization with the appropriate role.
• Users whose role has changed in Entra ID will have their Cloudmersive role updated.
• Users who are no longer assigned a role in Entra ID will be removed from the organization.
• The Master Administrator is never affected by sync operations.
• Users assigned roles in Entra ID who do not yet have a Cloudmersive account will not be added until they create one.

Auto-Sync

By default, syncing is performed manually by clicking Sync Entra ID Now on the organization management page. Automatic sync can also be enabled so that role assignments are synced on a recurring schedule without manual intervention. Contact your Cloudmersive Account team to enable Auto-Sync for your organization.

Updating Role Assignments

To add, change, or remove a user's role after initial setup:

1. Go to your Enterprise application (Cloudmersive RBAC Integration) in the Microsoft Entra admin center.
2. Navigate to Users and groups.
3. Add new assignments, change existing role assignments, or remove assignments as needed.
4. Return to the Cloudmersive organization management page and click Sync Entra ID Now to apply the changes (or wait for the next Auto-Sync if enabled).

Disabling Entra ID RBAC

To disconnect your Entra ID tenant from your Cloudmersive organization:

1. Navigate to your organization management page in Cloudmersive.
2. Click Disable Entra ID RBAC.
3. Confirm the action.

Disabling Entra ID RBAC will delete the stored credentials and all Entra ID role assignment records. Existing organization members will not be removed, but they will no longer be synced from Entra ID.

Troubleshooting

Credential test fails:

• Verify that the Tenant ID, Client ID, and Client Secret are correct.
• Confirm that admin consent has been granted for the API permissions.
• Ensure the Service Principal Object ID is from the Enterprise application (not the App registration).

Users not appearing after sync:

• Verify that the user has been assigned a role in the Enterprise application under Users and groups.
• Confirm that the user has a Cloudmersive account. Users without a Cloudmersive account cannot be synced.
• Ensure the role Value is exactly Cloudmersive.ChildAdministrator or Cloudmersive.Viewer.

Sync limit exceeded:

• The self-service sync limit is 10,000 users. Contact your Cloudmersive Account team to raise this limit.