Assigning Panther roles with Azure AD SSO
Last updated: June 25, 2026
QUESTION
We use Azure AD SSO to log in to Panther and want each user to receive the correct Panther role automatically at first login, provisioned through our identity provider (for example, via an IGA tool such as SailPoint) rather than receiving the default role and changing it manually afterward. How do we set a user's Panther role from Azure AD?
ANSWER
Panther can assign a user's role from a SAML attribute named PantherRole sent by your identity provider. When a user signs in via SSO for the first time, Panther creates their account automatically (just-in-time provisioning) and assigns the role carried in the PantherRole claim. If the claim isn't present, Panther falls back to the Default Role configured in the Console. This works with SAML identity providers, including Azure AD.
This builds on the standard SSO setup. If you haven't configured Azure AD SSO yet, complete that first. (see Panther's Azure Active Directory SSO documentation.)
Add the PantherRole claim in Azure AD
In your Panther enterprise application in Azure AD, go to Single sign-on → Attributes & Claims → Edit, and add a claim alongside the existing PantherEmail, PantherFirstName, and PantherLastName claims:
Name:
PantherRoleNamespace: leave blank (matching your existing Panther claims, so Panther receives the attribute as exactly
PantherRole)Source: Attribute
Source attribute: the Azure AD user attribute that holds the user's Panther role name (the attribute your provisioning tool populates). A group-based claim can also be used.
For details on customizing claims in Azure AD, see Microsoft's SAML token claims customization documentation.
Role value requirements
The value of the PantherRole claim must exactly match an existing Panther role name (for example, Admin, AnalystReadOnly, or a custom role):
If the value matches a role, the user is assigned that role.
If the value is not a valid role name, the role is not applied.
If no
PantherRoleclaim is sent, Panther uses the Default Role from the Console.
How and when the role is applied
The role is read and applied when the account is created at first sign-in.
After that, role changes made on the identity-provider side take effect on the user's next full interactive SSO sign-in (not instantly, and not on background session/token refreshes.)
Validate with a single test user
Before rolling this out broadly, confirm the behavior with one user:
Assign a single test user to the Panther application and set their
PantherRolevalue.Have them sign in to Panther via SSO (a fresh, interactive sign-in).
Confirm in the Panther Console that the user was created with the expected role rather than the Default Role.
If the user lands on the Default Role, verify the claim Name is exactly PantherRole, the Namespace is blank, and the value is a valid Panther role name.
Provisioning and offboarding
Panther accounts for SSO users are created just-in-time at first sign-in; they cannot be created in advance via API. Your provisioning tool governs access by managing the Panther application assignment in Azure AD, and the user's account is created when they first sign in.
To offboard, remove the user's Panther application assignment in Azure AD to prevent sign-in. To also remove the Panther account, use the Delete User API (
DELETE /users/{id}). For more information, see the Users API reference.