Want to provision only users which are added/removed in the Groups(either security or microsoft 365) to the provisioning application and not other users, can this be possible?

Question

I want to provision only users who are added/Removed in the Group(Either security or Microsoft 365) using the "Provision Microsoft Entra ID Groups" with the scope filter based on the display name and don't want to provision other users on the application which are not part of those Groups can this be possible?
Can we disable this setting "Provision Microsoft Entra ID Users" on Azure?

Currently, it has been observed that all users from Azure ad are getting provisioned in the target application apart from the users in that Group (either security or Microsoft 365).

Answer 1

Hi @Roshan Kumawat

Thank you for following up on this and I apologize for the delayed response!

I want to provision only the users to the provisioning application (for example ServiceNow) who are added/removed to Certain groups, and do not want to provision other users to the target application, can this be possible?

In application provision, we can use scope filters to scope users or groups. But unfortunately, the scoping filter IsMemberOf and members attribute on a group are not currently supported. So, it is not possible to provision only users who have been added or removed from specific groups in Azure AD to a provisioning application.

For your reference: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts?pivots=app-provisioning#create-scoping-filters

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If the answer is helpful, please click "Accept Answer" and kindly upvote it.