Prevent selected users from provisioning to Enterprise appliction

Question

I'm have set up provisioning of the AAD to an enterprise application. Some accounts don't synchronize properly as they don't have the right licenses, are admin accounts etc. Is there a way to exclude those accounts from being provisioned?

I would rather not set up an AAD group and assign users to that group for provisioning, i.e. rather exclude those accounts which should not be synced.

Answer 1

Hi @Henrik

Thank you for posting this in Microsoft Q&A.

I understand your asking if there is a way to exclude specific accounts from being provisioned to an enterprise application in Azure AD, without having to assign users to a specific group for provisioning.

Yes, you can exclude specific accounts from being provisioned to an enterprise application in Azure AD. To do this, you can use a scoping filter in the provisioning configuration for the application.

Here are the steps to exclude specific accounts from being provisioned

1. Sign in to the Microsoft Admin Center portal and navigate to the enterprise application that you want to configure.
2. Select the Provisioning tab.
3. In the Mappings section, select the mapping that you want to configure a scoping filter for: for example, "Synchronize Microsoft Entra users to ServiceNow".
4. Select the Source object scope menu.
5. Select Add scoping filter.

For more information: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/define-conditional-rules-for-provisioning-user-accounts?pivots=app-provisioning#scoping-filter-construction

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.