Assigning multiple roles to the same IdP group across different spaces - multiple me

When using custom roles with IdP group mappings, you may want to grant different roles to the same Azure Entra ID group across different spaces. While IdP group mappings require unique group names (object IDs) per account, you only need to create the mapping once and can then attach multiple role and space assignments to it.

Understanding IdP Group Mapping Uniqueness

The uniqueness requirement applies only to the mapping itself - you create the Azure Entra group object ID mapping once per account. From there, you can attach as many role + space assignments as needed to that same IdP group.

Three Ways to Assign Multiple Roles

1. Using the UI

Navigate to Organization Settings → Identity Management → IdP Group Mappings. Add the Azure group object ID once, then under Manage Roles you can add multiple entries for different spaces and roles.

2. Using Terraform

Create the IdP group mapping once using the spacelift_idp_group_mapping resource, then attach roles per space using spacelift_role_attachment. This resource explicitly supports attaching roles to an IdP group mapping (not just API keys).

More details of this in this article.

3. Using Login Policies

You can use a login policy to grant roles by team (group) per space. See the documentation for examples of how to implement this approach.

Important Note for Azure Entra ID

Make sure to ensure the groups claim is in the ID token so Spacelift receives the group IDs. With Azure Entra ID, Spacelift receives group IDs (GUIDs), not names—use the object ID in your mapping configuration.