This article is contributed. See the original author and article here.
Hello everyone,
I’m thrilled to announce that Microsoft Entra API-driven provisioning is now in public preview!
With today’s announcement, we’re expanding our support for HR-driven provisioning to address the most common customer asks, including:
- Automatically provisioning cloud-only users and hybrid users (users that require an on-premises Active Directory account) from any trusted source
- Importing data from sources like CSV files and SQL staging tables using the automation tool of your choice
- Simplifying the integration by using standard SCIM schema attributes to abstract schema differences across systems and provide a consistent mapping experience
- Leveraging Lifecycle Workflows to automate joiner-mover-leaver workflows for users sourced from any system of record
In one common customer scenario, organizations use a cloud human capital management (HCM) platform for managing employees and extracting nightly flat files/CSVs to manage vendor and contractor data. Both of these sources can send information to Microsoft Entra API-driven provisioning using your automation tool of choice. Then, the provisioning service will automatically determine the right operation to perform for each user, and Microsoft Entra ID Governance Lifecycle Workflows will automate the joiner-mover-leaver processes configured by your IAM admin.
Let’s walk through the steps involved in configuring this integration.
Bring identities into your directory from any source in three easy steps
Step 1 – Configure API-driven provisioning app
In the Microsoft Entra Portal, sign in as a user with Application Administrator and Hybrid Identity Administrator role. You will see two new provisioning applications in the Enterprise App gallery:
- API-driven provisioning to Microsoft Entra ID: Configure this app if you’d like to provision cloud-only user accounts from your authoritative source.
- API-driven provisioning to on-premises Active Directory: Configure this app if you’d like to provision user accounts first to your on-premises Active Directory and then sync them into Microsoft Entra ID using Microsoft Entra Cloud Sync / Connect Sync.
If your provisioning target is an on-premises Active Directory domain, download and configure the Microsoft Entra provisioning agent. Once configured, you can select the Active Directory domain in the provisioning app.
By default, the provisioning app maps attributes from the standard SCIM Core User schema and the SCIM Enterprise User schema extension to the corresponding Microsoft Entra ID / on-premises Active Directory user attributes.
The Microsoft Entra provisioning service creates a unique API endpoint for your provisioning app. You can copy this API endpoint from the “Overview” blade. Select “Start provisioning” to accept inbound provisioning requests at this API endpoint.
The inbound provisioning API endpoint has the format:
where {servicePrincipalId} is the object ID of your provisioning app and {jobId} is the provisioning job id.
Step 2 – Grant permission to your application or service to upload identity data
In this step, you create an entity in Microsoft Entra ID that represents your application or service calling the inbound provisioning API and grant it the necessary permissions. You can use one of the following options:
Grant the following Graph API permissions with admin consent:
- SynchronizationData-User.Upload
- AuditLog.Read.All
Step 3 – Upload identity data using any automation tool of your choice
You can now securely upload identity data to the provisioning /bulkUpload API endpoint. The great thing about API-driven provisioning is that you don’t need to implement custom logic to figure out whether an operation in your system of record requires creating or updating an identity. Just upload the data from your source systems and the Microsoft Entra provisioning service will automatically determine the right operation to perform for each user record based on mapping rules configured by your IAM admin.
Unlock more integration scenarios
In the set of steps above, we showed you how to provision to Microsoft Entra ID in the cloud, and to Active Directory on-premises. You can apply these steps to implement several enterprise HR integration scenarios.
Scenario 1: IT teams can import HR data extracts from any source
Flat files, CSV files and SQL staging tables are commonly used in enterprise integration scenarios. Employee, contractor, and vendor information are periodically exported into one of these formats, and an automation tool is used to sync this data with Microsoft Entra ID. With API-driven provisioning, IT teams can use any automation tool of their choice (example: PowerShell scripts or Azure Logic Apps) to modernize and simplify this integration.
Scenario 2: HR ISVs can build direct inbound sync with Microsoft Entra ID
With API-driven provisioning, HR ISVs can ship native synchronization experiences so that changes in the HR system automatically flow into Microsoft Entra ID and connected on-premises Active Directory domains. For example, an HR app or student information systems app can send data to Microsoft Entra ID as soon as a transaction is complete or as end-of-day bulk update.
Scenario 3: System integrators can build more connectors to systems of record
System integrators can build custom HR connectors to meet different integration requirements around identity data flow from systems of record to Microsoft Entra ID.
What customers and partners are telling us
We got some great feedback from customers and partners like you during the previews.
Microsoft Entra API-driven provisioning will allow us to achieve our cloud-first vision by provisioning identity directly in the cloud and on-premises, integrating with our HR application. We will be able to remove legacy infrastructure and automate many fragmented workflows and reduce dependency on on-premises Active Directory infrastructure. This will enhance our security, efficiency, and user experience.
Sachin Desai, Sr. Director at Avanade Inc.
With API-driven provisioning, HR has better control over the identity lifecycle & data in Active Directory and Microsoft Entra ID. When combined with Lifecycle Workflows, onboarding and offboarding becomes easy and seamless, and with that, no more manual work and always an up-to-date identity!
Pim Jacobs, Principal Consultant at InSpark and Microsoft Most Valuable Professional (MVP)
Microsoft Entra API-driven inbound provisioning is a game changer for customers constrained by existing technologies, opening the possibility for any customer to start the journey for joiner, mover, and leaver automation.
Martyn Gill, Senior Architect and Team Lead at Kocho
With API-driven provisioning, our customers can link employee information in SmartHR with Microsoft Entra ID. This will reduce the time and effort required to manage accounts as employees join, move, or leave the company. SmartHR is excited to partner with Microsoft in building this integration!
Takumi Kanzaki, Product Engineer at SmartHR
Rippling gives businesses one place to run HR, IT, and Finance by automating payroll, expenses, and benefits in one integrated platform. With Microsoft Entra API-driven provisioning, we can now extend this automation to streamline access to more workforce apps, regardless of whether it’s in the cloud or on-premises. We look forward to enabling this seamless experience for our customers by partnering with Microsoft!
Sam Gnesin, Product Lead at Rippling
Give it a try
With this new capability, you now have even more flexibility on how to keep identity data in sync with your authoritative sources, regardless of whether they are hosted in the cloud or on-premises. Working with your HR/IT teams, you can select from a range of automation tools like Azure Logic Apps, PowerAutomate, Azure Functions or Azure Data Factory to retrieve, transform and merge HR data and simply upload the data to the new provisioning API endpoint.
To quickly configure and evaluate API-driven provisioning with your favorite API testing tool, refer to one of these tutorials:
To get started with your favorite automation tools, refer to one of these samples:
- Implement API-driven provisioning with PowerShell
- Implement API-driven provisioning with Azure Logic Apps
The API-driven provisioning feature is in preview, and you can start using it if you have Microsoft Entra ID P1 (formerly Azure AD Premium P1) license or above. Licensing terms will be released at general availability.
Have more questions? Check out our frequently asked questions to see if it’s answered there.
We’d love to hear your feedback along the way! Share your feedback through the Azure forum or by tagging @AzureAD on Twitter.
Joseph Dadzie, Partner Director of Product Management
LinkedIn: @joedadzie
Twitter: @joe_dadzie
Learn more about Microsoft Entra:
- Related Articles:
- Explore New Product Announcements for Microsoft Entra
- Microsoft Entra new feature and change announcements
- See recent Microsoft Entra blogs
- Dive into Microsoft Entra technical documentation
- Join the conversation on the Microsoft Entra discussion space and Twitter
- Learn more about Microsoft Security
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.
Recent Comments