Learn

Entra Application Provisioning

Microsoft Entra’s application provisioning platform automates user and group lifecycle management across SaaS applications, on-premises systems, and custom integrations. It supports outbound provisioning via SCIM to cloud apps, inbound provisioning from HR sources via API, and on-premises provisioning through the ECMA connector host. Together these capabilities cover the full spectrum of identity lifecycle automation beyond directory sync.

Overview

  • Outbound (SCIM): Automatic user/group provisioning to SaaS apps using the SCIM 2.0 protocol, with gallery pre-integrations and custom app support
  • Inbound API: API-driven inbound provisioning from HR systems (Workday, SAP SuccessFactors, custom sources) into Entra ID or on-premises AD
  • On-premises connectors: ECMA connector host for provisioning to LDAP directories, SQL databases, and custom targets that lack cloud APIs
  • Scope: This topic covers the provisioning platform itself; Connect Sync and Cloud Sync handle directory-to-directory sync separately

Contents

Concepts

Quickstarts

  • Configure Provisioning - Gallery app setup walkthrough: credentials, scoping, attribute mappings, on-demand testing
  • Monitoring and Logs - Provisioning logs, quarantine status, Log Analytics integration, alerting patterns

Deep Dives

  • Troubleshooting - Common error patterns, quarantine recovery, attribute mapping debugging, accidental deletion protection
  • Inbound API Provisioning - Architecture, API surface, configuration, client patterns, and troubleshooting for API-driven inbound provisioning
  • On-Premises Connectors - ECMA connector host, provisioning agent, connector types, deployment, and troubleshooting for on-premises targets

Resources

Pages in this topic

Concepts

Quickstart

Deep Dives