Overview
Group → Role Mapping lets you connect Microsoft Entra ID groups to UniAsset roles. When a user signs in with Microsoft, UniAsset reads their group membership and assigns the appropriate role automatically. Roles stay in sync with your directory — no manual reassignment needed when people change teams.
Plan required: Enterprise
Prerequisite: Microsoft Entra ID must be connected first. See Connecting Microsoft Entra ID.
Who Can Access This
Required role: Owner or Admin
Available Roles
You can map Entra groups to any of the four UniAsset roles:
| Role | Access level |
|---|---|
| Owner | Full access including billing — assign with caution |
| Manager | Create and edit assets, log maintenance, view all data |
| Employee | Standard access for day-to-day asset tracking |
| Viewer | Read-only access to assets, history, and reports |
⚠️ WARNING: Mapping a group to the Owner role gives every member of that group full system access including billing. Reserve this for a single trusted administrator account, not a group.
Setting Up Group → Role Mapping
Step 1: Open Entra ID Settings
- Log in to UniAsset as an Owner or Admin
- Click Settings in the left sidebar
- Select the Integrations tab
- Click Microsoft Entra ID
Step 2: Open Group Mappings
- Under the connected tenant, click Group → Role Mapping
- UniAsset fetches your Entra groups and displays them in a list
💡 TIP: If your group list is empty or outdated, click Refresh Groups to pull the latest list from your directory.
Step 3: Assign Roles to Groups
For each Entra group you want to map:
- Find the group in the list
- Use the Role dropdown next to the group name to select a role
- Repeat for each group that should have a mapped role
Groups with no role selected are ignored — users in those groups receive the default role (Employee) if auto-provisioning is on, or their manually assigned role if they were invited directly.
Step 4: Save Mappings
- Click Save Mappings
- A confirmation message confirms the mappings are active
How Role Resolution Works
Mappings are applied at sign-in time, not in advance.
When a user signs in with Microsoft:
- UniAsset reads their current Entra group membership
- It checks which of their groups have a role mapping
- If multiple mapped groups apply, the highest-privilege role wins
- The user is signed in with that role
Example:
A user belongs to two groups:
- Facilities Team → mapped to Employee
- Facilities Managers → mapped to Manager
They sign in and receive the Manager role, because Manager outranks Employee.
💡 TIP: Role changes in mappings take effect on the user's next login. Existing active sessions are not affected immediately.
When Mappings and Manual Roles Interact
If a user was invited directly (not auto-provisioned) and also belongs to a mapped group, the mapped role applies at their next sign-in and overwrites their manually assigned role.
If you want a specific user to have a role that differs from their group mapping, remove the mapping for their group or move them out of that group in Entra.
Removing a Mapping
- Go to Settings → Integrations → Microsoft Entra ID → Group → Role Mapping
- Set the Role dropdown for the group back to No mapping
- Click Save Mappings
Users who were previously assigned a role via that mapping retain their current role until their next login, at which point UniAsset reassigns based on remaining active mappings.
Related Articles
- Connecting Microsoft Entra ID
- Auto-Provisioning Users from Entra ID
- Auto-Deprovisioning Leavers via Entra ID
- Changing User Roles
- Understanding Roles and Permissions
Need Help?
Contact support at support@uniasset.app with questions about group mappings. Include your tenant domain and the group names you are trying to map.
Need Help?
If you have questions not covered in this article, our support team is here to help.
Contact Support