This guide covers everything needed to manage Birdeye user roles through Microsoft Entra ID SCIM provisioning — from the initial mapping configuration to updating a role for an existing user. Two methods are covered depending on which Entra ID attribute was chosen for the role mapping.
Method A — You have a free Entra ID field
If you have a standard Entra ID field that isn't already being used (like Job Title, Department, or Employee Type), simply map it to the Birdeye role attribute. That's it — whenever you update that field in Entra ID, the role in Birdeye updates automatically.
Method B — All standard fields are already in use
If all standard Entra ID fields are taken, map any extension attribute (e.g. extensionAttribute1) to the Birdeye role attribute instead. The only difference is that extension attributes cannot be edited from the Entra ID portal directly — you'll need to update them using Microsoft Graph Explorer, which is a free web tool provided by Microsoft.
Valid Birdeye Role Values
Before setting or updating any role, confirm you are using an accepted value. The value must match exactly, including spelling and casing, to the existing role in Birdeye.
Role value (exact spelling) | Access level in Birdeye |
owner | Full administrative access |
admin | Admin-level access |
guest
| Standard user access — this is the default if no role is passed |
guest + | Elevated guest access |
IMPORTANT: If your Birdeye account uses custom roles, the value must match the exact name and casing of that custom role as it appears in Birdeye.
Method A: Role Mapping and Updates via a Core Entra ID Attribute
Use this method when you map the Birdeye role to a built-in Entra ID user field such as Job Title, Department, or Employee Type. These fields can be set and updated directly from the Entra ID portal with no scripting required.
Part 1 — Configure the Role Attribute Mapping
This is a one-time setup step. Once the mapping is in place, you only need Part 2 whenever you want to change a user's role.
Add the Custom Role Attribute to Birdeye's Attribute List
In the Entra admin center, go to Identity > Applications > Enterprise applications and open the Birdeye application.
In the left menu, select Provisioning, then expand the Mappings section.
Click Provision Microsoft Entra ID Users.
4. Scroll to the bottom of the page, check Show advanced options, then click Edit attribute list for Birdeye app.
5. Scroll to the bottom of the attribute list and add a new row with exactly these values:
Field | Value to enter |
Name | urn:ietf:params:scim:schemas:extension:custom:2.0:User:role |
Type | String |
All other options | Leave as default |
6. Click Save at the top to update the attribute list and confirm when prompted.
Map the Custom Attribute to a Core Entra ID Field
You are now back on the Attribute Mapping screen. Add a new mapping that connects a core Entra ID field to the custom role attribute you just created.
1. Click Add New Mapping at the bottom of the attribute mapping list.
2. Configure the new mapping as follows:
Setting | Value |
Mapping type | Direct |
Source attribute
| The core Entra ID field you want to use for the role — e.g. jobTitle, department, or employeeType |
Target attribute | urn:ietf:params:scim:schemas:extension:custom:2.0:User:role |
3. Click OK, then click Save at the top of the screen.
NOTE: Using a core Entra ID field, such as Job Title or Department, means you can update the role value at any time directly from the user's profile page in the Entra ID portal — no API calls needed.
Set the Role Value on the User's Profile
Now set the initial role value on the user. This same step is used any time you want to update the role in the future.
Go to Identity > Users > All Users and open the target user's profile.
Click Edit properties (pencil icon at the top of the profile).
Navigate to the tab containing the field you mapped (e.g. Job info for Job Title or Department).
Enter the exact Birdeye role value in that field — for example: admin or owner.
Click Save.
Provision the Role to Birdeye
Option 1 — Provision on Demand (Immediate)
Add the user to the Birdeye Application if not added already.
In the Birdeye Enterprise Application, go to Provisioning > Provision on demand.
Search for the user, select them, and click Provision.
A successful result confirms the role has been set in Birdeye.
Option 2 — Automatic Provisioning Job
No action needed. The role will sync to Birdeye on the next scheduled cycle, approximately every 40 minutes.
UPDATING THE ROLE IN FUTURE: To change a user's role, simply edit the mapped field (e.g. Job Title) on their Entra ID profile, save, and provision again using either option above. No mapping changes are needed.
Method B: Role Mapping and Updates via an Extension Attribute
Use this method when all core Entra ID user fields are already used for other purposes. The Birdeye role will be mapped to an extension attribute (e.g. extensionAttribute1). Because extension attributes cannot be edited from the portal UI, their values must be set and updated using the Microsoft Graph API via Graph Explorer.
Part 1 — Configure the Role Attribute Mapping
This is a one-time setup step. Complete it once, then use Part 2 whenever you need to change a user's role.
Add the Custom Role Attribute to Birdeye's Attribute List
This step is identical to Method A — Step 1.
In the Entra admin center, go to Identity > Applications > Enterprise applications and open the Birdeye application.
Go to Provisioning > Mappings > Provision Microsoft Entra ID Users.
Scroll to the bottom, check Show advanced options, then click Edit attribute list for Birdeye.
At the bottom of the attribute list, add a new row:
Field | Value to enter |
Name | urn:ietf:params:scim:schemas:extension:custom:2.0:User:role |
Type | String |
All other options | Leave as default |
5. Click Save and confirm.
Map the Custom Attribute to an Extension Attribute
On the Attribute Mapping screen, create a mapping between an extension attribute and the custom role attribute.
Click Add New Mapping at the bottom of the attribute mapping list.
Configure the new mapping as follows:
Setting | Value |
Mapping type | Direct |
Source attribute
| An extension attribute — e.g. extensionAttribute1, extensionAttribute2, etc. Choose one that is not already in use. |
Target attribute | urn:ietf:params:scim:schemas:extension:custom:2.0:User:role |
3. Click OK, then Save.
IMPORTANT: Note down which extension attribute (e.g. extensionAttribute1) you selected. You will need this exact name when updating role values via Graph Explorer.
Part 2 — Set or Update the Role Value Using Graph Explorer
Every time you want to set or change a user's Birdeye role, follow the steps below to update the extension attribute value using Microsoft Graph Explorer, then provision the change.
Open Microsoft Graph Explorer and Sign In
Open a browser and navigate to: https://developer.microsoft.com/en-us/graph/graph-explorer.
Sign in using your Entra ID administrator account.
If prompted, consent to the permissions requested. You need at least User.ReadWrite.All to update user attributes.
Run the PATCH Request to Update the Extension Attribute
Use a PATCH request to write the new role value into the user's extension attribute.
Request method and URL
Replace {userEmail} with the user's full Entra ID User Principal Name (UPN), e.g. jane.doe@yourcompany.com.
Request body
{ "onPremisesExtensionAttributes": { "extensionAttribute1": "admin" } } |
Replace the following before running:
extensionAttribute1 — use whichever extension attribute is mapped in your setup (e.g. extensionAttribute2, extensionAttribute3, etc.).
"admin" — replace with the exact Birdeye role value you want to assign (owner, admin, guest, or guest +).
Steps in Graph Explorer
1. In the request method dropdown, select PATCH.
2. Paste the full URL with the target user's email into the address bar.
3. Click the Request body tab and paste in the JSON above with your values filled in.
4. Click Run query.
5. A 204 No Content response confirms the extension attribute was updated successfully.
NOTE: A 403 Forbidden response means your account lacks the required permissions. Ensure User.ReadWrite.All or Directory.ReadWrite.All consent has been granted in Graph Explorer under the Modify permissions tab.
Verify the Updated Value in the Entra ID Portal
After the PATCH request succeeds, confirm the extension attribute was updated correctly by checking the user's profile in Entra ID.
In the Entra admin center, go to Identity > Users > All Users and open the user's profile.
Click the Properties tab at the top of the profile page.
Scroll down to the On-premises extension attributes section.
Confirm that the mapped extension attribute (e.g. Extension attribute 1) now shows the new role value.
TIP: If the On-premises extension attributes section is not visible, make sure you are on the Properties tab and not the Overview tab. It only appears under Properties.
Provision the Role Change to Birdeye
With the extension attribute updated in Entra ID, push the change to Birdeye.
Option 1 — Provision on Demand (Immediate)
In the Birdeye Enterprise Application, go to Provisioning > Provision on demand.
Search for the user, select them, and click Provision.
A successful result confirms the updated role has been applied in Birdeye.
Option 2 — Automatic Provisioning Job
No action needed. The updated extension attribute will be picked up on the next scheduled provisioning cycle, approximately every 40 minutes.
Quick Reference Summary
S.No. | Step | Method A — Core Attribute | Method B — Extension Attribute |
1 | Add custom role attribute(one-time setup) | Provisioning > Mappings > Provision Entra ID Users > Edit attribute list | Same as Method A |
2 | Map to source attribute(one-time setup) | Map to a core field: jobTitle, department, or employeeType | Map to an extension attribute: extensionAttribute1, 2, 3 … |
3 | Set/update role value | Edit the user's profile in the Entra ID portal — update the mapped field directly | Use Graph Explorer PATCH request to update the extension attribute |
4 | Verify the change
| Review the saved profile in Entra ID
| Check user Properties > On-premises extension attributes |
5 | Sync to Birdeye | Provision on Demand or wait for auto job (~40 min) | Provision on Demand or wait for auto job (~40 min) |