What Is Application Provisioning
Microsoft Entra application provisioning automates user and group lifecycle management across applications. When someone joins, changes roles, or leaves your organization, the provisioning service automatically creates, updates, or removes their accounts in the applications they need (or no longer need) access to.
This is different from directory synchronization. Connect Sync and Cloud Sync handle identity replication between Active Directory and Entra ID. Application provisioning handles identity replication between Entra ID and the applications people use.
The Provisioning Platform
The provisioning platform is a single service that supports several provisioning patterns, each targeting a different integration scenario:
-
Gallery app provisioning. Pre-integrated connectors for hundreds of SaaS applications (Salesforce, ServiceNow, Slack, Dropbox, and many more). These use the SCIM 2.0 protocol under the hood but expose a guided setup experience with pre-configured attribute mappings.
-
Generic SCIM provisioning. For any application that exposes a SCIM 2.0 endpoint but is not in the gallery. You provide the endpoint URL and credentials; the provisioning service handles the rest.
-
On-premises connectors. The provisioning agent plus ECMA connector host allows provisioning to LDAP directories, SQL databases, REST/SOAP APIs, PowerShell-based targets, and custom connectors. No inbound firewall rules are needed; the agent uses outbound-only connections.
-
Inbound API-driven provisioning. An API endpoint that accepts bulk identity data from any external system of record (HR platforms, payroll systems, custom databases). The external system pushes data in; the provisioning service processes it.
-
HR-driven provisioning. Purpose-built integrations with Workday and SAP SuccessFactors that provision cloud HR data into Entra ID or on-premises AD. (HR-driven provisioning is out of scope for this topic.)
All of these patterns share the same underlying provisioning engine: the same scoping filters, attribute mappings, expression language, matching rules, monitoring, and quarantine behavior apply regardless of the provisioning direction or target.
Platform Architecture
architecture-beta
group sources(server)[Identity Sources]
group platform(cloud)[Entra Provisioning Platform]
group targets(server)[Provisioning Targets]
service entra(database)[Entra ID] in sources
service hr(server)[HR Systems] in sources
service api(server)[External APIs] in sources
service engine(server)[Provisioning Engine] in platform
service scoping(server)[Scoping and Mappings] in platform
service logs(server)[Logs and Monitoring] in platform
service gallery(server)[Gallery SaaS Apps] in targets
service scimapp(server)[SCIM Endpoints] in targets
service onprem(server)[On-Prem Systems] in targets
entra:R --> L:engine
hr:R --> L:engine
api:R --> L:engine
engine:R --> L:scoping
scoping:T --> B:logs
scoping:R --> L:gallery
scoping:R --> L:scimapp
scoping:R --> L:onprem
The provisioning engine sits at the center. It reads from identity sources (Entra ID for outbound, HR systems or external APIs for inbound), applies scoping filters and attribute mappings, and writes to provisioning targets.
How It Relates to Hybrid Sync
Application provisioning and hybrid directory sync solve different problems:
| Aspect | Hybrid Sync (Connect / Cloud Sync) | Application Provisioning |
|---|---|---|
| What it syncs | Identities between AD and Entra ID | Identities between Entra ID and applications |
| Direction | Bidirectional (AD to Entra, Entra to AD) | Outbound (Entra to apps) or inbound (apps/HR to Entra) |
| Protocol | Proprietary sync engine or SCIM-based agent | SCIM 2.0, ECMA connectors, or REST API |
| Scope | Directory objects (users, groups, devices, contacts) | User and group accounts in target applications |
| Configuration | Sync rules, join/projection rules | Attribute mappings, scoping filters |
They complement each other. In a typical hybrid environment, Connect Sync or Cloud Sync brings identities from AD into Entra ID, and then application provisioning pushes those identities out to SaaS applications.
Cloud Sync also supports group provisioning to Active Directory, which writes Entra ID security groups back to on-premises AD. This is a Cloud Sync capability, not application provisioning, but uses the same underlying provisioning agent infrastructure.
Key Concepts
Several concepts recur throughout the provisioning platform:
-
Scoping filters. Attribute-based rules that determine which users are in scope for provisioning. Clauses within a filter use AND logic; multiple filters use OR logic.
-
Attribute mappings. Definitions of how attributes flow from source to target. Supports direct mappings, constant values, and expression-based transformations.
-
Matching rules. Rules that determine whether a user in the source system corresponds to an existing user in the target system. Usually based on a unique identifier like email or employee ID.
-
Provisioning cycles. The service runs an initial cycle (full evaluation of all in-scope users) followed by incremental cycles (only changes since the last watermark). Incremental cycles run approximately every 40 minutes.
-
Quarantine. If too many operations fail consistently, the provisioning job enters quarantine, reducing cycle frequency to once per day. If unresolved for four weeks, the job is disabled.
-
On-demand provisioning. A testing feature that lets you provision a single user immediately to validate your configuration before starting the full service.
Each of these is covered in detail in later pages. The next concept page explains how the provisioning engine processes cycles and applies rules: How Provisioning Works.