Introducing a New Flexible Way of Bringing Identities from Any Source into Microsoft Entra ID!

Hello everyone,
I'm thrilled to announce that Microsoft Entra API-driven provisioning is now in public preview!
With today's announcement, we're expanding our support for HR-driven provisioning to address the most common customer asks, including:

  • Automatically provisioning cloud-only users and hybrid users (users that require an on-premises Active Directory account) from any trusted source
  • Importing data from sources like CSV files and SQL staging tables using the tool of your choice
  • Simplifying the integration by using standard SCIM schema attributes to abstract schema differences across systems and provide a consistent mapping experience
  • Leveraging Lifecycle Workflows to automate joiner-mover-leaver workflows for users sourced from any system of record

In one common customer scenario, organizations use a cloud human capital management (HCM) platform for managing employees and extracting nightly flat files/CSVs to manage vendor and contractor data. Both of these sources can send information to Microsoft Entra API-driven provisioning using your tool of choice. Then, the provisioning service will automatically determine the right operation to perform for each user, and Microsoft Entra ID Governance Lifecycle Workflows will automate the joiner-mover-leaver processes configured by your IAM admin.
Figure 1: Microsoft Entra API-driven provisioning data flowFigure 1: Microsoft Entra API-driven provisioning data flow
Let's walk through the steps involved in configuring this integration.

Bring identities into your directory from any source in three easy steps 

Step 1 – Configure API-driven provisioning app 

In the Microsoft Entra Portal, sign in as a user with Application Administrator and Hybrid Identity Administrator role. You will see two new provisioning applications in the Enterprise App gallery:

  • API-driven provisioning to Microsoft : Configure this app if you'd like to provision cloud-only user accounts from your authoritative source.
  • API-driven provisioning to on-premises Active Directory: Configure this app if you'd like to provision user accounts first to your on-premises Active Directory and then sync them into Microsoft using Microsoft Entra Cloud Sync / Connect Sync.

If your provisioning target is an on-premises Active Directory domain, download and configure the Microsoft Entra provisioning agent. Once configured, you can select the Active Directory domain in the provisioning app.
Figure 2: Connect to your on-premises Active Directory domainFigure 2: Connect to your on-premises Active Directory domain
By default, the provisioning app maps attributes from the standard SCIM Core User schema and the SCIM Enterprise User schema extension to the corresponding Microsoft Entra ID / on-premises Active Directory user attributes.
Figure 3: SCIM schema attributes to on-premises Active Directory attribute mappingFigure 3: SCIM schema attributes to on-premises Active Directory attribute mapping
The Microsoft Entra provisioning service creates a unique API endpoint for your provisioning app. You can copy this API endpoint from the “Overview” blade. Select “Start provisioning” to accept inbound provisioning requests at this API endpoint.
Figure 4:API endpoint for your provisioning appFigure 4:API endpoint for your provisioning app
The inbound provisioning API endpoint has the format: 
https://graph.microsoft.com/beta/servicePrincipals/{servicePrincipalId}/synchronization/jobs/{jobId}…
where {servicePrincipalId} is the object ID of your provisioning app and {jobId} is the provisioning job id.

Step 2 – Grant permission to your application or service to upload identity data 

In this step, you create an entity in Microsoft Entra ID that represents your application or service calling the inbound provisioning API and grant it the necessary permissions. You can use one of the following options:
Grant the following Graph API permissions with admin consent:

  • SynchronizationData-User.Upload 
  • AuditLog.Read.All

Figure 5: Permissions required to perform API-driven provisioningFigure 5: Permissions required to perform API-driven provisioning

Step 3 – Upload identity data using any tool of your choice 

You can now securely upload identity data to the provisioning /bulkUpload API endpoint. The great thing about API-driven provisioning is that you don't need to implement custom logic to figure out whether an operation in your system of record requires creating or updating an identity. Just upload the data from your source systems and the Microsoft Entra provisioning service will automatically determine the right operation to perform for each user record based on mapping rules configured by your IAM admin.

Unlock more integration scenarios 

In the set of steps above, we showed you provision to Microsoft Entra ID in the cloud, and to Active Directory on-premises. You can apply these steps to implement several enterprise HR integration scenarios.

Scenario 1: IT teams can import HR data extracts from any source 

Flat files, CSV files and SQL staging tables are commonly used in enterprise integration scenarios. Employee, contractor, and vendor information are periodically exported into one of these formats, and an automation tool is used to sync this data with Microsoft Entra ID. With API-driven provisioning, IT teams can use any automation tool of their choice (example: PowerShell or Azure Logic Apps) to modernize and simplify this integration.

Scenario 2: HR ISVs can build direct inbound sync with Microsoft Entra ID 

With API-driven provisioning, HR ISVs can ship native synchronization experiences so that changes in the HR system automatically flow into Microsoft Entra ID and connected on-premises Active Directory domains. For example, an HR app or student information systems app can send data to Microsoft Entra ID as soon as a transaction is complete or as end-of-day bulk update.

Scenario 3: System integrators can build more connectors to systems of record 

System integrators can build custom HR connectors to meet different integration requirements around identity data flow from systems of record to Microsoft Entra ID.

What customers and partners are telling us 

We got some great feedback from customers and partners like you during the previews.

Microsoft Entra API-driven provisioning will allow us to achieve our cloud-first vision by provisioning identity directly in the cloud and on-premises, integrating with our HR application. We will be able to remove legacy infrastructure and automate many fragmented workflows and reduce dependency on on-premises Active Directory infrastructure. This will enhance our security, efficiency, and user experience. 

Sachin Desai, Sr. Director at Avanade Inc.

 

Pim Jacobs, Principal Consultant at InSpark and Microsoft Most Valuable Professional (MVP)

Microsoft Entra API-driven inbound provisioning is a game changer for customers constrained by existing technologies, opening the possibility for any customer to start the journey for joiner, mover, and leaver automation.   

Martyn Gill, Senior Architect and Team Lead at Kocho

With API-driven provisioning, our customers can link employee information in SmartHR with Microsoft Entra ID. This will reduce the time and effort required to manage accounts as employees join, move, or leave the company. SmartHR is excited to partner with Microsoft in building this integration! 

Takumi Kanzaki, Product Engineer at SmartHR

Rippling gives businesses one place to run HR, IT, and Finance by automating payroll, expenses, and benefits in one integrated platform. With Microsoft Entra API-driven provisioning, we can now extend this automation to streamline access to more workforce apps, regardless of whether it's in the cloud or on-premises. We look forward to enabling this seamless experience for our customers by partnering with Microsoft! 

Sam Gnesin, Product Lead at Rippling

Give it a try 

With this new capability, you now have even more flexibility on keep identity data in sync with your authoritative sources, regardless of whether they are hosted in the cloud or on-premises. Working with your HR/IT teams, you can select from a range of automation tools like Azure Logic Apps, PowerAutomate, Azure Functions or Azure Data Factory to retrieve, transform and merge HR data and simply upload the data to the new provisioning API endpoint.

To quickly configure and evaluate API-driven provisioning with your favorite API testing tool, refer to one of these tutorials: 
To get started with your favorite automation tools, refer to one of these samples:  
The API-driven provisioning feature is in preview, and you can start using it if you have Microsoft Entra ID P1 (formerly Premium P1) license or above. Licensing terms will be released at general availability.
Have more questions? Check out our frequently asked questions to see if it's answered there. 
We'd love to hear your feedback along the way! Share your feedback through the Azure forum or by tagging @AzureAD on Twitter. 
Joseph Dadzie, Partner Director of Product Management
LinkedIn: @joedadzie
Twitter: @joe_dadzie
Learn more about Microsoft Entra:

 

This article was originally published by Microsoft's Core Infrastructure and Security Blog. You can find the original article here.