Solved: Migrating users and app when you use IDP Entra - Qlik Community

dwighttrumbower · ‎2026-02-24

There seems to be a disconnect on how to migrate users before applications when you use IDP.

We have connected Entra as the SAML and when I user logins in no groups get created from IDP. Have done what the documentation says, but no groups get created.

Also, how do people migrate the apps and private sheets over when using IDP? Does one have to provision all the users from IDP vs auto provision on login?

Thanks

hugo_andrade · ‎2026-02-25

Hi @dwighttrumbower ,

On Qlik Cloud, when you are adding an IdP, Qlik is smart enough to detect the user email from the native Identity (Qlik's Auth0) and map it to the new IdP. As long as you get the email matching, since this is the only key in common between the two attributes.

Do you know if your users use the same email on both IdPs?

Regarding your next question, provisioning upon login vs. auto-provisioning: SAML will only allow you to create users on Qlik Cloud upon login (JIT - Just-in-time) provisioning.

If you opt for OIDC integration using EntraID, you would be able to create an auto-provisioning (SCIM). These key words will allow you to find the appropriate help articles if you are interested in changing the protocol.

But before you change to OIDC, I would like to highlight that is not necessarily required. SAML works brilliantly and should provide you with all the functionalities you need. If you are having issues with groups, make sure you have enabled "creation of groups" in Qlik Cloud Console: https://tenanturl.us.qlikcloud.com/admin/settings/feature-control

Lastly, if you continue to have issues, please share the configuration you have on EntraID and on Qlik Cloud console for the IdP.

It's a pleasure to help a fellow Qliker 🙂

Live and Breathe Qlik & AWS.
Follow me on my LinkedIn | Know IPC Global at ipc-global.com

View solution in original post

hugo_andrade · ‎2026-02-25

Hi @dwighttrumbower ,

On Qlik Cloud, when you are adding an IdP, Qlik is smart enough to detect the user email from the native Identity (Qlik's Auth0) and map it to the new IdP. As long as you get the email matching, since this is the only key in common between the two attributes.

Do you know if your users use the same email on both IdPs?

Regarding your next question, provisioning upon login vs. auto-provisioning: SAML will only allow you to create users on Qlik Cloud upon login (JIT - Just-in-time) provisioning.

If you opt for OIDC integration using EntraID, you would be able to create an auto-provisioning (SCIM). These key words will allow you to find the appropriate help articles if you are interested in changing the protocol.

But before you change to OIDC, I would like to highlight that is not necessarily required. SAML works brilliantly and should provide you with all the functionalities you need. If you are having issues with groups, make sure you have enabled "creation of groups" in Qlik Cloud Console: https://tenanturl.us.qlikcloud.com/admin/settings/feature-control

Lastly, if you continue to have issues, please share the configuration you have on EntraID and on Qlik Cloud console for the IdP.

It's a pleasure to help a fellow Qliker 🙂

Live and Breathe Qlik & AWS.
Follow me on my LinkedIn | Know IPC Global at ipc-global.com

dwighttrumbower · ‎2026-02-25

Thanks for that tid bit. Didn't see anything in docs about that.

I am working directly with qlik tech support.

hugo_andrade · ‎2026-02-25

Got it!

Good luck!

If this my answers were helpful, please give it a like and mark them as "Helpful" or "Solution".
Thanks

Live and Breathe Qlik & AWS.
Follow me on my LinkedIn | Know IPC Global at ipc-global.com

Migrating users and app when you use IDP Entra

Cloud Applications