Microsoft Entra API-driven provisioning, now in public preview

Microsoft Entra API-driven provisioning, now in public preview

Microsoft recently announced that Microsoft Entra API-driven provisioning now is in public preview. This is great for several reasons as it lets you be more flexible with the way you manage identities in your organization.

If you wish to have a single pane of glass for managing your identities and have control over where the user gets created, this is the service for you.

Major USP for Cloud Provisioning Services that covers customers most wanted feature

Two major reoccuring asks of customers have been wishing they had the ability to automatically provision cloud-only and hybrid users from any trusted source. This means for example importing from a CSV or SQL database table and decide where to create this user: in the cloud or only on-premise. (Which later can be synced to the cloud using AD connect).

There have been vendors with their own solutions for this but it has been isolated products. With provisioning services we can use a Microsoft backed product.

The workflow

This is an overview of the workflow released by Microsoft.

  1. You populate a CSV, SQL table or any other source from an automation tool of your choice
  2. You send this data to the API endpoint of Provisioning Services
  3. This endpoint then uses an App Registration in Microsoft that you can configure to be able to write both to the cloud and on-premises
  4. The ruletset inside the API decides if the user is to get created in the cloud or on-premise

If your destination is an on-premise Active Directory Domain there is an agent you need to download and install (The provisioning agent from the image above). See this for more information about that.

Talking to the provisioning agent

When you setup the provisioning services and register the applications required in AAD/Microsoft Entra you receive a unique API endpoint which you can copy from the application overview blade.

This URL is your unique way of communicating with the endpoint. Here is a tutorial that walks you through setting up the API endpoint.

License requirements for API-driven provisioning

In order to use this feature you need a Microsoft Entra ID P1, formerly known as an Azure AD P1 license. This may change once this feature becomes generally available, it is at the time of writing this only in public preview.

References

Introducing a New Flexible Way of Bringing Identities from Any Source into Microsoft Entra ID!
Bring identity data from any authoritative source to automate your joiner-mover-leaver lifecycle.

About me

About me
If you have landed on my page you will have already understood my passion for tech, but obviously there is more to life than that. Here I will try and outline a few of my other hobbies. Strength training I am a person who loves to move around and challenge