Entra ID doc

Author: tashian

graphics/entra-id-mappings.png

@@ -1,5 +1,5 @@
 ---
-updated_at: October 28, 2025
+updated_at: October 30, 2025
 title: Sync Entra ID Users to Smallstep
 html_title: Sync Microsoft Entra ID Users to Smallstep
 description: Integrate Smallstep with Microsoft Entra ID, syncing identity provider users for device identity.
@@ -20,7 +20,6 @@ The following provisioning features are supported:
 * Push Groups and New Users
 * Push Profile or Group Updates
 * Push User Deactivation
-  * When users are deactivated in Entra ID, they will be deactivated in Smallstep.
 * Reactivate Users
 
 ## Step By Step Instructions
@@ -75,14 +74,15 @@ The following provisioning features are supported:
 2. Choose “Syncronize Entra ID Active Directory Users to customappsso”
 3. The mappings you’ll want for Smallstep are:
 
-    ![Screenshot 2025-04-16 at 4.53.14 PM.png](Configure%20Entra%20ID%20User%20Sync%20(SCIM)/Screenshot_2025-04-16_at_4.53.14_PM.png)
+    ![Entra ID mappings](/graphics/entra-id-mappings.png)
 
     Most of these are part of the default mappings.
 
     The only two you will need to customize are:
 
-    - Update  `userName` to map to `ToLower(Replace([userPrincipalName], , "(?<Suffix>@(.)*)", "Suffix", "", , ), )`. The `userName` attribute determines the name of a user’s POSIX account, when needed (for example, with SSH).
+    - If you're using Smallstep SSH, the `userName` attribute determines the name of a user’s POSIX account. Update  `userName` to map to `ToLower(Replace([userPrincipalName], , "(?<Suffix>@(.)*)", "Suffix", "", , ), )`.
     - Add `externalId`, with a mapping to `objectId`. This should be a unique ID representing the user that is not reusable.
+
 4. Remove any other default attributes that are not in the list above. The only attributes you need to send to Smallstep are:
     - `userName`
     - `displayName`