--- title: Provision users from Microsoft Entra description: "Estimated time to complete: 30 minutes" component: pingoneaic page_id: pingoneaic:use-cases:use-case-provision-from-entra-id canonical_url: https://docs.pingidentity.com/pingoneaic/use-cases/use-case-provision-from-entra-id.html keywords: ["Implementation Guide", "Reconciliation", "Synchronization", "Use Case"] page_aliases: ["implementation:use-case-provision-from-entra-id.adoc"] section_ids: from-entraid-desc: Description from-entraid-goals: Goals from-entraid-preqs: Prerequisites from-entraid-tasks: Tasks from-entraid-task1: "Task 1: Create a Microsoft Entra application" from-entraid-task2: "Task 2: Create a Microsoft Entra ID test user account" from-entraid-task3: "Task 3: Configure Microsoft Entra as an authoritative identity data source" from-entraid-task4: "Task 4: Configure reconciliation" from-entraid-mapping: Mapping from-entraid-recon: Reconciliation situations from-entraid-task5: "Task 5: Prepare reconciliation for validation" from-entraid-validation: Validation from-entraid-steps: Steps from-entraid-init-recon: Initial reconciliation from-entraid-incremental-recon: Incremental reconciliation from-entraid-video: Video of validation from-entraid-explore: Explore further from-entraid-ref: Reference material --- # Provision users from Microsoft Entra ## Description Estimated time to complete: 30 minutes *(tooltip: This assumes you complete the prerequisites beforehand.)* In this use case, you provision accounts from Microsoft Entra ID (formerly Azure AD) into Advanced Identity Cloud. ### Goals In completing this use case, you will learn how to do the following: * Use the Advanced Identity Cloud admin console * Set up a Microsoft Entra application as an authoritative identity data source * Provision identity data from the application to Advanced Identity Cloud * Enable incremental reconciliation ## Prerequisites Before you start work on this use case, make sure you have: * A basic understanding of: * The Advanced Identity Cloud admin console * The `managed/alpha_user` object schema * Application templates * Reconciliation * Access to your Microsoft Entra ID tenant environment as an administrator * Access to your Advanced Identity Cloud development environment as an administrator * A test user in Advanced Identity Cloud to serve as the application owner for the Microsoft Entra application ## Tasks ### Task 1: Create a Microsoft Entra application | | | | - | --------------------------------------------------------------------------------------------------- | | | Some steps require you to copy information. Paste the information into a text editor to keep track. | Advanced Identity Cloud uses a Microsoft Entra application account to connect to Microsoft Entra ID through the Microsoft Graph API. To register the application in Advanced Identity Cloud, make sure you record: * The tenant ID * The client ID * The client secret—​the value of the secret, not the secret ID You register the application and set the Graph API permissions Advanced Identity Cloud requires. 1. Sign on to the Microsoft Entra ID tenant as administrator. 2. Select Home > + Add > App registration. 3. Set a Name and click Register. 4. On the profile page for the application you registered, record the values for: * Application (client) ID * Directory (tenant) ID 5. On the profile page for the application you registered, select Client credentials > Client secrets > + New client secret and add a client secret. *Record the client secret for use when configuring the connection from Advanced Identity Cloud.* You cannot retrieve the secret after leaving the page where you created it. 6. On the profile page for the application you registered, select API permissions > + Add a permission and add the following Microsoft Graph API permissions: * `User.Export.All` * `User.ManageIdentities.All` * `User.Read.All` * `User.ReadWrite.All` * `Group.Create` * `Group.Read.All` * `Group.ReadWrite.All` * `Directory.Read.All` * `Directory.ReadWrite.All` 7. On the API permissions page, select Grant admin consent for *tenant*. Each permission must have Granted for *tenant* status before you connect Advanced Identity Cloud to the Microsoft Entra ID tenant: ![Graph API permissions in the UI](_images/provision-from-entra-id/graph-api-permissions.png) If you cannot grant the permissions yourself, ask the primary tenant administrator to grant the permissions. ### Task 2: Create a Microsoft Entra ID test user account To validate reconciliation, Advanced Identity Cloud requires at least one user with the required Advanced Identity Cloud properties: * An email address * A display name * A first name * A last name Create the test account in Microsoft Entra ID: 1. Sign on to the Microsoft Entra ID tenant as administrator. 2. Select Home > + Add > User > Create new user. 3. Prepare to create the user with the following settings: | Field | Value | | ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | | User principal name | `scarter@domain`, where domain is the Microsoft Entra ID tenant domain | | Mail nickname | Select Derive from user principal name. | | Display name | `Sam Carter` | | Password | Select Auto-generate password.This use case doesn't use the password, but record the password so you can sign on to Microsoft Entra ID later. | | Account enabled | Leave this selected. | | First name | `Sam` | | Last name | `Carter` | | Email | `scarter@example.com` | 4. Review and create the test user account. Check in At this point, you: | | | | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | [icon: check, set=fa][Registered a Microsoft Entra application](#from-entraid-task1) and recorded its tenant ID, client ID, and client secret. | [icon: check, set=fa][Created a test user account](#from-entraid-task2) with at least the required Advanced Identity Cloud account properties. | ### Task 3: Configure Microsoft Entra as an authoritative identity data source 1. Sign on to the Advanced Identity Cloud admin console as an administrator. 2. Select Application [icon: grid_view, set=material, size=inline] Browse App Catalog > Microsoft Entra Provisioning and click Next. 3. Click Next again and create an application with the following settings: | Field | Value | | ------------- | ------------------------------------------------------------------------------ | | Name | `Microsoft Entra ID` | | Owners | The Advanced Identity Cloud test user to act as the owner of this application. | | Authoritative | Enable | 4. In the application profile screen, select Provisioning > Set up Provisioning, enter the information you collected when registering the Microsoft Entra ID application, and click Connect: | Field | Value | | ------------------------ | ------------------------------------------------------------------------------------------------------------- | | Tenant | The Directory (tenant) ID from Microsoft Entra ID; for example, `f7ff6108-c26f-48dd-ae9e-9743eefbd11f`. | | Client ID | The Application (client) ID from Microsoft Entra ID; for example, `b5ee41de-4a06-40ec-b170-1edbeb7c7764`. | | Client Secret (optional) | The value of the client secret from Microsoft Entra ID.The client secret is *not* optional for this use case. | 5. Make sure the Advanced Identity Cloud admin console displays the application as **Connected**: ![Successful connection](_images/provision-from-entra-id/connected.png) 6. Select Data to display a table of details from accounts in Microsoft Entra ID. This confirms Advanced Identity Cloud can access the account properties. ### Task 4: Configure reconciliation Advanced Identity Cloud uses reconciliation to keep its accounts in sync with accounts in other systems. You configure: * How account properties in the other systems map to Advanced Identity Cloud account properties. * What Advanced Identity Cloud does in each reconciliation situation. #### Mapping For this use case, configure at least a minimal mapping from Microsoft Entra: 1. Sign on to the Advanced Identity Cloud admin console as an administrator. 2. Select Application > Microsoft Entra > Provisioning > Mapping. 3. Review how a Microsoft Entra ID user account maps to the corresponding Advanced Identity Cloud `alpha_user` account. 4. Adjust the mapping to the following settings: | Microsoft Entra ID user property | Advanced Identity Cloud `alpha_user` property | | -------------------------------- | --------------------------------------------- | | `source.givenName` | `givenName` | | `source.mail` | `mail` | | `source.surname` | `sn` | | `source.userPrincipalName` | `userName` | Reconciliation only synchronizes mapped properties. If required, add additional mappings. #### Reconciliation situations 1. Log in to the Advanced Identity Cloud admin console as an administrator. 2. Select Application > Microsoft Entra > Reconciliation > Settings. 3. Edit the default Situation Rules to set Link Only to `UNLINK`: ![Completed situation rules table](_images/provision-from-entra-id/situation-rules.png) Advanced Identity Cloud is now ready to provision user accounts from the Microsoft Entra ID tenant. Check in At this point, you: | | | | ---------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------- | | [icon: check, set=fa][Registered a Microsoft Entra application](#from-entraid-task1) and recorded its tenant ID, client ID, and client secret. | [icon: check, set=fa][Created a test user account](#from-entraid-task2) with at least the required Advanced Identity Cloud account properties. | | [icon: check, set=fa][Used an application template to connect](#from-entraid-task3) Advanced Identity Cloud to the Microsoft Entra ID tenant. | [icon: check, set=fa][Configured Advanced Identity Cloud reconciliation](#from-entraid-task4) to provision user accounts. | ### Task 5: Prepare reconciliation for validation Although you can run reconciliation manually for initial synchronization and testing, you can also enable incremental reconciliation as a recurring task. Incremental reconciliation runs periodically, synchronizing new changes automatically. For testing, you can restrict which accounts reconciliation synchronizes with a filter. After validating your work, you can disable the filter and reconcile all accounts. 1. Log in to the Advanced Identity Cloud admin console as an administrator. 2. Select Application > Microsoft Entra > Reconciliation > Settings. 3. Select Schedules > Incremental Reconciliation > Set Up and configure the task. For example, to run reconciliation every 15 minutes, select Use cron and set the Frequency to `*/15 * * * * ?`: ![Configure a reconciliation task](_images/provision-from-entra-id/recon-every-15-minutes.png) 4. Select Show advanced settings and filter reconciliation to target only the Microsoft Entra test account. For example, select Filter Source and set the filter to match when the user `mail` is the test account email address: ![Filter on mail](_images/provision-from-entra-id/advanced-recon-settings.png) 5. Click Save. ## Validation With Advanced Identity Cloud connected to Microsoft Entra ID as an authoritative identity data source, validate the configuration by provisioning an account from Microsoft Entra ID to Advanced Identity Cloud and receiving updates to the newly created Advanced Identity Cloud user. ### Steps #### Initial reconciliation 1. Log in to the Advanced Identity Cloud admin console as an administrator. 2. Select Application > Microsoft Entra > Provisioning > Reconciliation > Reconcile > Reconcile Now. Reconciliation creates the test user account from Microsoft Entra ID in Advanced Identity Cloud. On the reconciliation status page, Unresolved Microsoft Entra users are greater than zero. Advanced Identity Cloud found a Microsoft Entra ID user account and created an identity in Advanced Identity Cloud. 3. Select Identities > Manage and search for the test user account. The Advanced Identity Cloud admin console displays the new account reconciliation created based on the Microsoft Entra ID test user account. #### Incremental reconciliation 1. Sign on to the Microsoft Entra ID tenant as administrator. 2. Select Home > Users > *Select test user* > Edit properties, change one of the mapped properties, such as First name and Save your change. 3. Log in to the Advanced Identity Cloud admin console as an administrator. 4. Wait for reconciliation to run as scheduled or select Reconcile Now again in Advanced Identity Cloud admin console. Reconciliation applies the changes you made in Microsoft Entra ID to the account in Advanced Identity Cloud. On the reconciliation status page, 1-to-1 match is greater than 0. Advanced Identity Cloud found a Microsoft Entra ID account with a matching Advanced Identity Cloud account and reconciled the two. 5. Select Identities > Manage, search for the account and select it to display the details. The Advanced Identity Cloud admin console displays the change from the Microsoft Entra ID test user account. ### Video of validation From the administrator's perspective, the validation process works as follows: **Video (Brightcove)** \ ## Explore further ### Reference material | Reference | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------- | | [Task 2: Explore the platform](../getting-started/getting-started-explore-platform.html) | Get to know the Advanced Identity Cloud admin console. | | [Azure AD provisioning](../app-management/provision-an-application.html#provision-azure-ad) | Learn about connecting Advanced Identity Cloud to Microsoft Entra ID. | | [Reconcile and synchronize end-user accounts](../app-management/provision-an-application.html#recon-sync-end-users) | Learn about reconciliation of user accounts. | | [Register an application](../app-management/register-an-application.html) | Find out more about application templates. | | [Synchronization types](../idm-synchronization/sync-types.html) | Learn how Advanced Identity Cloud keeps data consistent across multiple systems. | | [Tutorial: Register an app with Microsoft Entra ID](https://learn.microsoft.com/en-us/power-apps/developer/data-platform/walkthrough-register-app-azure-active-directory) | Refer to this Microsoft Entra ID documentation for details. |