13,725 questions
How to properly do nested group and service principal provisioning for Enterprise Applications?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 52%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
Joakim Järvinen (Brightly)
0
Reputation points
My original idea was to sync users using Azure Entra provisioning for Enterprise applications. However, this method has a few caveats:
- It does not sync nested groups (only the direct group)
- It does not sync Service Principals (aka other Enterprise applications. We want to manage SaaS users in Entra)
My next idea was to use Graph API, but polling it seems kinda rough. Though I noticed that changes can be synced via subscribing to group change events. Some extra logic would be needed, but I noticed that it has the same problem: it does not sync Service Principals.
So far my best idea is to check which groups have been assigned to the Enterprise Application and then fetch their transitive members... every x minutes (using the beta API..)? Logically this is subject to be very error prone which is why I would have preferred to use SCIM. Does anybody have better ideas?
Microsoft Security | Microsoft Graph
Sign in to answer