Hello Community,
We are currently working on a custom SCIM integration between Microsoft Entra ID and HubSpot, and we would like to clarify a limitation we are facing regarding the management of HubSpot roles (permission sets).
Our target setup would be:
to manage roles on the Microsoft Entra ID side, ideally using groups;
to disable group synchronization to HubSpot in order to avoid technical limitations and quarantine issues on the Entra ID side;
while still allowing HubSpot to automatically receive user role assignments via SCIM.
Based on our current understanding, disabling group synchronization prevents any information from being sent to HubSpot that would allow automatic role assignment, which seems to block this scenario.
However, HubSpot’s documentation for custom SCIM applications explicitly mentions the ability to synchronize roles using the roleSyncEnabled parameter, allowing identity provider roles to be mapped to HubSpot permission sets, provided that the role names match exactly.
In this context, we would like to know:
Is it possible to use role synchronization (roleSyncEnabled) with Microsoft Entra ID without enabling group synchronization?
Or is this approach currently not supported, with no officially supported solution outside of HubSpot’s dedicated SCIM connectors?
If anyone in the community has already faced this situation or implemented an alternative solution, your feedback would be greatly appreciated.
Thank you in advance for your clarification.
