Cybersecurity Data & Analytics Digital Workspace Cloud Infrastructure Application Development Artificial Intelligence
Services Overview
Workshops Assessments Masterminds Technical Solutions Manager Cybersecurity Advisory Program Implementation Project Management Staffing
Insights Security Videos News Events
Why Alchemy Partners Team Awards Careers Contact Us
Blog | Insights June 6, 2024

Provisioning Active Directory Accounts with EntraID

Provisioning Active Directory Accounts with EntraID

Meeting the provisioning requirements of an organization can be a challenge. EntraID often meets these needs but has historically failed to provision cloud accounts into Active Directory. Although some SaaS applications like Workday have built-in connectors to handle this task, EntraID has lacked this capability until now.

This blog post outlines the prerequisites and steps required to set up EntraID to provision cloud accounts into Active Directory.

Prerequisites:

  1. Access to the EntraID portal with Application Administrator and Hybrid Identity Administrator roles.
  2. A domain-joined Windows server to install and configure the provisioning agent.

Step 1 – Create the Provisioning application

  1. From the Entra ID portal, create a new Enterprise Application.
  2. Search for: “API-driven provisioning to on-premises Active Directory.”
  3. Once the application has been created, select the “Provisioning” option.

Step 2 – Configure Inbound provisioning to Active Directory

  1. Select “Getting Started,” set the provisioning mode to “Automatic,” and enter the necessary domain and OU information.
  2. Select the option to view on-premises agents.
  3. Download and configure the provisioning agent on the on-premises domain joined server.NOTE: The instructions for configuring this agent are located here: https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-install
  4. Test the connection to make sure EntraID can connect to the provisioning agent.
  5. Expand the mappings section, select the hyperlink, and review the default mappings.
  6. Expand the settings section and enter a valid email address.
  7. The last step is to grant access to the inbound provisioning API. Those steps are documented here: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/inbound-provisioning-api-grant-access.

Following these steps, you can effectively set up EntraID to provision cloud accounts into Active Directory, ensuring your organization’s needs are met efficiently and reliably.

Author

Author avatar Alchemy Author
Share

More Articles

Insights
Jul 3, 2025

From Visibility to Action: How CAASM and CTEM Are Helping Security Teams Take Control

pete-downing avatar Pete Downing
Insights
Jul 2, 2025

IAM Redefined: How Okta Is Leading the Charge in Identity Security

pete-downing avatar Pete Downing
Insights
Jul 1, 2025

Microsoft’s 2025 Enterprise Agreement Changes: What IT Leaders Need to Know Now