How do I know which synchronization rule I should use to kick off a provision-on-demand via the API

Question

How do I know which synchronization rule I should use to kick off a provision-on-demand via the API

shrinjay mukherjee 0

I would like to build an integration that can call the Provision on Demand Graph API for a given enterprise app: https://learn.microsoft.com/en-us/graph/api/synchronization-synchronizationjob-provisionondemand?view=graph-rest-1.0&tabs=http. This API endpoint requires a rule ID to be specified. The issue is, I'm not quite sure how to consistently identify the correct synchronization rule to use. Specifically:

Is there any possibility of an application/service principal having more than 1 synchronization job? The fact that there is a list endpoint suggests that it is possible - however in the provisioning UI I can only see one synchronization job ID.
For a given synchronization job, is there any possibility of there being more than 1 synchronization rule that supports on demand provisioning. I can see that some apps have a separate synchronization rule for inbound provisioning, but it seems most apps only have one rule for outbound provisioning. Is this always the case?
Say I don't know which synchronization job to use, I was planning to get all synchronization rules for all synchronization jobs, and find the synchronization job and rule that supports outbound provisioning via provision on demand. This only works if there is only one job and one rule that supports outbound provisioning using on-demand provisioning. Is this a feasible approach?

Any insight?

FrankEscarosBuechsel-MSFT 905 Reputation points Microsoft Employee Moderator

2024-11-29T18:05:33.46+00:00

Hi @shrinjay mukherjee • Thank you for reaching out.

I'm understanding that you have some questions around the specifications for the on demand provisioning Graph APIs, especially how synchronization jobs and rules can be mapped and if 1:n relationships are possible or if there is pure 1:1 relationships between synchronization jobs and synchronization rules.

For your first question the following Learn document provides an example on how more than 1 synchronization job is possible for a single application/service principal. It walks through an example on how to create 2 jobs for the same service principal, one for user/group provisioning and one for password hash sync. So while the UI may only be showing one instance you cannot safely assume that only 1 job exists and you have to validate the correct synchronization job to be chosen for your intended use case. Create sync job

For your other 2 questions I cannot immediately find straight forward documentation which would answer the question, so I will do some more research on the specifics for you and provide an update once I have a confirmed answer for those questions.
FrankEscarosBuechsel-MSFT 905 Reputation points Microsoft Employee Moderator

2024-12-02T17:49:01.2066667+00:00

Hi @shrinjay mukherjee,

I have had some internal chats with one of the responsible teams for this functionality.

Can you please elaborate on your use case a bit here, are you deploying a SaaS application and want to provision users from Entra ID into that app, basically following example 1 of the Learn article you outlined earlier here: Provision users from Microsoft Entra ID to third-party applications, or is it via Cloud Sync as per example 2 here Sync on-demand from Active Directory to Microsoft Entra ID (Microsoft Entra Cloud Sync).
shrinjay mukherjee 0 Reputation points

2024-12-03T22:11:59.11+00:00

Hi @FrankEscarosBuechsel-MSFT ,

It's the former, I'm provisioning users from entra ID to a third party application. I'm doing this programmatically via the API. I know what service principal I want to sync, so to kick off provision on demand I need to determine the correct synchronization job and synchronization rule for that service principal

1 answer

Your answer

FrankEscarosBuechsel-MSFT 905 Reputation points Microsoft Employee Moderator

2024-11-29T18:05:33.46+00:00

Hi @shrinjay mukherjee • Thank you for reaching out.

I'm understanding that you have some questions around the specifications for the on demand provisioning Graph APIs, especially how synchronization jobs and rules can be mapped and if 1:n relationships are possible or if there is pure 1:1 relationships between synchronization jobs and synchronization rules.

For your first question the following Learn document provides an example on how more than 1 synchronization job is possible for a single application/service principal. It walks through an example on how to create 2 jobs for the same service principal, one for user/group provisioning and one for password hash sync. So while the UI may only be showing one instance you cannot safely assume that only 1 job exists and you have to validate the correct synchronization job to be chosen for your intended use case. Create sync job

For your other 2 questions I cannot immediately find straight forward documentation which would answer the question, so I will do some more research on the specifics for you and provide an update once I have a confirmed answer for those questions.
FrankEscarosBuechsel-MSFT 905 Reputation points Microsoft Employee Moderator

2024-12-02T17:49:01.2066667+00:00

Hi @shrinjay mukherjee,

I have had some internal chats with one of the responsible teams for this functionality.

Can you please elaborate on your use case a bit here, are you deploying a SaaS application and want to provision users from Entra ID into that app, basically following example 1 of the Learn article you outlined earlier here: Provision users from Microsoft Entra ID to third-party applications, or is it via Cloud Sync as per example 2 here Sync on-demand from Active Directory to Microsoft Entra ID (Microsoft Entra Cloud Sync).
shrinjay mukherjee 0 Reputation points

2024-12-03T22:11:59.11+00:00

Hi @FrankEscarosBuechsel-MSFT ,

It's the former, I'm provisioning users from entra ID to a third party application. I'm doing this programmatically via the API. I know what service principal I want to sync, so to kick off provision on demand I need to determine the correct synchronization job and synchronization rule for that service principal

Answer 1

Hi @shrinjay mukherjee,

I got an internal response from the product group for the functionality in the way you are using it.

For a given synchronization job, is there any possibility of there being more than 1 synchronization rule that supports on demand provisioning. I can see that some apps have a separate synchronization rule for inbound provisioning, but it seems most apps only have one rule for outbound provisioning. Is this always the case?

There is a 1:1 relationship between the synchronisation job and synchronisation rule in the scenario you are describing.

Say I don't know which synchronization job to use, I was planning to get all synchronization rules for all synchronization jobs, and find the synchronization job and rule that supports outbound provisioning via provision on demand. This only works if there is only one job and one rule that supports outbound provisioning using on-demand provisioning. Is this a feasible approach?

With the above confirmation that makes this a feasible approach indeed.

Also with the given context I want to clarify on the first question and my response.

Is there any possibility of an application/service principal having more than 1 synchronization job? The fact that there is a list endpoint suggests that it is possible - however in the provisioning UI I can only see one synchronization job ID.

I responded earlier that in general this is possible, which is indeed the case, however in the context of your particular use case you can also assume that you have a 1:1 relationship, multiple jobs should only matter if cloud sync was involved in the process which you confirmed not to be the case for your particular scenario.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

FrankEscarosBuechsel-MSFT 905 Reputation points Microsoft Employee Moderator

2024-12-06T14:00:44.4033333+00:00

Hi @shrinjay mukherjee ,

Just checking in to see if you had a chance to see the provided answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.  And, if you have any further questions do let us know.
FrankEscarosBuechsel-MSFT 905 Reputation points Microsoft Employee Moderator

2024-12-09T10:18:53.3933333+00:00

Hi @shrinjay mukherjee ,

Just checking in to see if you had a chance to see the provided answer. To help the community find the right answers, please do mark the post which was helpful by clicking on Accept Answer.  And, if you have any further questions do let us know.

Share via

How do I know which synchronization rule I should use to kick off a provision-on-demand via the API

1 answer

Your answer