Configure Application Provisioning

This quickstart walks through configuring automatic user provisioning for a gallery application. The same general steps apply to generic SCIM apps, though gallery apps have the advantage of pre-configured attribute mappings.

Prerequisites

• An Entra ID P1 or P2 license (required for automatic provisioning).
• Application Administrator or Cloud Application Administrator role.
• The target application added to your tenant as an enterprise application.
• Admin credentials for the target application (varies by app: API token, OAuth credentials, or admin username/password).

Step 1: Add the Application

1. Sign in to the Microsoft Entra admin center.
2. Navigate to Entra ID > Enterprise apps > New application.
3. Search the gallery for your application (e.g., “ServiceNow” or “Salesforce”).
4. Select the application and click Create.

If your application is not in the gallery, select Create your own application and choose “Integrate any other application you don’t find in the gallery.” See Gallery vs SCIM for guidance on this path.

Step 2: Configure Provisioning Mode

1. Open the enterprise application you just added.
2. Select the Provisioning tab.
3. Set the Provisioning Mode to Automatic.

This reveals the full provisioning configuration interface: admin credentials, mappings, settings, and status controls.

Step 3: Enter Admin Credentials

1. Expand the Admin Credentials section.
2. Enter the Tenant URL and Secret Token (or other credentials required by the application).
3. Click Test Connection to verify that Entra ID can reach the application’s provisioning endpoint.

If the test fails, check:

• The credentials are correct and have sufficient permissions.
• The tenant URL is correct (some apps require a specific subdomain or API path).
• Network connectivity allows outbound HTTPS from the Entra provisioning service to the application.

Each gallery app has a specific setup tutorial that documents the exact credentials format. Check the application’s tutorial in the Microsoft Learn documentation.

Step 4: Configure Scoping

Expand the Settings section and set the Scope:

• Sync only assigned users and groups (recommended): Only users explicitly assigned to the app, or members of assigned groups, are provisioned. This is the safest starting point.
• Sync all users and groups: Provisions every user in the directory. Use only when you genuinely need all users in the target app.

Adding Scoping Filters (Optional)

For more granular control, add attribute-based scoping filters:

1. Go to Mappings and select the user mapping (e.g., “Synchronize Microsoft Entra users to ServiceNow”).
2. Click Source object scope.
3. Click Add scoping filter.
4. Define clauses. For example:
   • department EQUALS Engineering
   • accountEnabled IS TRUE
5. Give the filter a name and save.

Clauses within a single filter use AND logic (all must be true). Multiple filters use OR logic (any filter passing is sufficient).

Important: Saving a new scoping filter triggers a full re-evaluation of all users, similar to an initial cycle. Users that no longer match the new filter will be deprovisioned in the target application.

Step 5: Configure Attribute Mappings

1. In the Mappings section, select the user provisioning mapping.
2. Review the default attribute mappings. Gallery apps come with sensible defaults.
3. Customize as needed:
   • Edit a mapping to change the source attribute, mapping type, or matching precedence.
   • Add New Mapping to include attributes not in the defaults.
   • Delete mappings for attributes you do not want to sync.

Key mapping decisions:

• Matching attribute: Ensure at least one mapping has matching precedence set (usually userPrincipalName to userName, or mail to emails[type eq "work"].value). This is how the engine determines whether to create or update.
• Expression mappings: Use these when you need to transform data. For example, Join(".", [givenName], [surname]) to construct a username, or Switch([department], "default", "Sales", "sales-team", "Engineering", "eng-team") for conditional values.
• Target object actions: Under each mapping, check the boxes for which operations the provisioning service should perform: Create, Update, and/or Delete.

Group Mappings

If the target application supports group provisioning, a separate group mapping appears in the Mappings section. Enable it if you need groups provisioned alongside users. Review the group attribute mappings (typically displayName and members).

Step 6: Test with On-Demand Provisioning

Before starting the full provisioning service, test your configuration with a single user:

1. Navigate to Provisioning > Provision on demand.
2. Search for a user by name or UPN.
3. Click Provision.
4. Review the results. The provisioning steps show exactly what the engine did: scoping evaluation, matching, attribute mapping resolution, and the operation sent to the target.

On-demand provisioning uses the same code path as the full service. If it works here, it will work in the automated cycles. If it fails, the error details point to exactly what needs fixing.

Common on-demand testing scenarios:

• Test a user who should be created (not yet in the target system).
• Test a user who should be matched and updated (already exists in the target).
• Test a user who should be skipped (out of scope).

Step 7: Start the Provisioning Service

1. Go to the Provisioning tab.
2. Set Provisioning Status to On.
3. Click Save.

The service runs an initial cycle, evaluating all in-scope users. After the initial cycle completes, incremental cycles run approximately every 40 minutes.

Monitor progress in the Current Status section at the bottom of the Provisioning page. The progress bar shows:

• Number of users provisioned.
• Whether the initial cycle is complete.
• Whether the job is in quarantine.

Step 8: Assign Users

If scoping is set to “assigned users and groups only,” you need to assign users:

1. Navigate to the application’s Users and groups tab.
2. Click Add user/group.
3. Select users or groups and assign them.

Provisioning will pick up newly assigned users in the next incremental cycle.

What Happens Next

After provisioning is running:

• Monitor health using the provisioning progress bar and provisioning logs. See Monitoring and Logs.
• Watch for quarantine status, which indicates persistent failures that need attention.
• Adjust mappings as needed based on what you see in the provisioning logs.

Quick Reference: Gallery App Setup Checklist

1. Add the gallery app to your enterprise applications.
2. Set provisioning mode to Automatic.
3. Enter and test admin credentials.
4. Set scoping to “assigned users and groups.”
5. Review and customize attribute mappings.
6. Test with on-demand provisioning.
7. Assign users and groups.
8. Start the provisioning service.
9. Monitor the initial cycle completion.