Add user to groups with API-driven provisioning to on-prem AD

Question

Add user to groups with API-driven provisioning to on-prem AD

Mathias Sundman 50

As an MSP we're looking into using "API-driven inbound user provisioning to on-prem Active Directory" for customer hybrid tenants, which looks very promising and has most of the features we're looking for.

But, there is one big show-stopper I haven't been able to figure out. When we provision new users to customer on-prem ADs they still typically heavily relies on membership in different AD groups for access to various systems, so they need to have an initial set of group memberships upon creation based department/role.

So, how can I use the BulkUpload API (on another API that communicates through the Cloud Sync agent) to assign users to on-prem AD groups?

If this functionality is not available the whole solution "falls", as I would still have to build my own on-prem agent to expose an API endpoint for managing on-prem user group memberships on complete the onboarding automation, which could then as well perform the user CREATE/MODIFY/DELETE actions.

Accepted answer

0 additional answers

Your answer

Answer 1

Givary-MSFT 35,471 Microsoft Employee

@Mathias Sundman Thank you for reaching out to us, As I understand you are leveraging API-driven inbound user provisioning to on-prem Active Directory, though users are getting created successfully however you are looking for an option to add these created users into groups automatically.

As far I am aware this feature ( of adding users to group) via API is not available, assuming you might need to have some PowerShell script to do this job when the users get created in on-premise AD via API driven provisioning.

However I will check with my team internally on this ask and keep you updated.

Mathias Sundman 50 Reputation points

2024-03-11T20:51:12.33+00:00
I'm mostly interested in hearing what is Microsoft recommended approach to automate onboarding hybrid environments like this including adding users to AD groups ect.

Perhaps I'm miss-thinking this. If I understand correctly the recommended approach in Entra is to use HR/API-driven provisioning handling the creating of users only. Then use dynamic groups and lifecycle workflow to handle group memberships and other on-boarding tasks.

So, what I'm now thinking is something like:

Move all groups that does not have to be in AD to Cloud-only groups

Use "Provision grps to AD with Cloud Sync" to sync Cloud groups to AD

Use Dynamic Groups that are synced to AD with #2

Use Lifecycle Workflow automations to update cloud groups that are synced to AD with #2

Use Lifecycle Workflow automations to kick-off a PS script on Hybrid Worker to complete remaining on-prems tasks

How does that approach aline with MS recommendations for a hybrid lifecycle workflow mgmt?
Givary-MSFT 35,471 Reputation points Microsoft Employee

2024-03-12T03:28:05.45+00:00
@Mathias Sundman Did check with my team, we don't support group membership provisioning with "API-driven provisioning" feature, however following approach is recommended in your scenario

To add users to the appropriate groups, here's what we suggest:

Using API-driven provisioning create/update on-premises AD users.

Sync on-premises AD users to the Entra ID tenant using Cloud Sync or Connect Sync.

Assign synced users to Entra ID groups. You can consider one of the following automation options (a) Dynamic Groups (b) Access Packages or (c) Lifecycle Workflows.

Use "Group provision to Active Directory" feature of Cloud Sync. For more info on governing access to these groups refer to: https://learn.microsoft.com/en-us/entra/identity/hybrid/group-writeback-cloud-sync

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

Share via

Add user to groups with API-driven provisioning to on-prem AD

0 additional answers

Your answer