User Provisioning with Snowflake and Microsoft Entra ID SCIM Integration

name
Snowflake-EntraID_Provisioning
tag
IT infrastructure/system management/Microsoft Entra ID/Snowflake
Connector used
RSET connector/Snowflake connector
API
Service Tags - List(API Version:2024-01-01)

Reduce operational burden of Snowflake and Microsoft Entra ID SCIM integration

When Snowflake is used by all employees as a data analysis platform, the following issues arise in system operation:

  • Adding users and assigning roles when new employees join the company
  • Deleting users and roles when an employee leaves the company

SCIM integration is a solution to this problem. By using SCIM integration, employee information can be centrally managed with an ID provider (such as Microsoft Entra ID), and by linking Snowflake with the ID provider, the burden of system operations such as updating users and roles when employees join or leave the company can be reduced.

However, because the IP address of the identity provider changes periodically, it is necessary to update Snowflake's network rules to reflect the changed IP address.

This application provides the following processes required to integrate Snowflake with Microsoft Entra ID:

  • Retrieving the latest public IP address from Microsoft Entra ID and updating the IP address in the Snowflake network rule
  • Granting roles and default warehouses to newly provisioned users from Microsoft Entra ID to Snowflake
  • Deleting users who have been deleted in Microsoft Entra ID and disabled in Snowflake

How to install and use it

Script Details

Get the public IPs of your Microsoft Entra ID (Azure_get_Service_IPs)

Use the Azure REST API to get the latest public IP addresses for your Microsoft Entra IDs and write them to a CSV file.

Adding a public IP to Snowflake's network rule (Snowflake_alter_network_rule)

Read the public IP addresses from the CSV file and update the network rule in Snowflake (ALTER NETWORK RULE).

Grant a role to a user provisioned in Snowflake (Snowflake_grant_role)

Grants the specified role to a user provisioned to Snowflake through a Microsoft Entra ID.
It also sets the granted role and specified warehouse as the user's default.

Delete a user on Snowflake (Snowflake_delete_user)

Removes users who were deleted in Microsoft Entra ID and disabled in Snowflake.

How to install and use it