How to properly do nested group and service principal provisioning for Enterprise Applications?

Joakim Järvinen (Brightly) 0 Reputation points
2024-06-10T09:27:18.8833333+00:00

My original idea was to sync users using Azure Entra provisioning for Enterprise applications. However, this method has a few caveats:

  1. It does not sync nested groups (only the direct group)
  2. It does not sync Service Principals (aka other Enterprise applications. We want to manage SaaS users in Entra)

My next idea was to use Graph API, but polling it seems kinda rough. Though I noticed that changes can be synced via subscribing to group change events. Some extra logic would be needed, but I noticed that it has the same problem: it does not sync Service Principals.

So far my best idea is to check which groups have been assigned to the Enterprise Application and then fetch their transitive members... every x minutes (using the beta API..)? Logically this is subject to be very error prone which is why I would have preferred to use SCIM. Does anybody have better ideas?

Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
11,052 questions
0 comments No comments
{count} votes