Share via

Provisioning Agent Configuration

Khedkar, Vidisha 105 Reputation points
2025-06-09T21:50:42.1966667+00:00

Hi Team,

I’m planning to install the Provisioning Agent on Windows servers where Azure AD Connect Sync is already configured. This agent will be used to provision users in Active Directory (AD) via an API-driven inbound provisioning application.

During the installation process, on the Select Extension screen, I will choose the following option:

HR-driven provisioning

Once the installation is complete, I’ll proceed with the configuration in Azure.

Questions:

Scope Configuration: During the Azure configuration, do I only need to define the scope for the users I intend to provision?

  1. Attribute Mapping: For attribute mapping, I have to plan to include only the attributes required for provisioning users into AD via the API-driven application. Is this approach correct? I should remove all other attribute which I am not provisioning for a AD user
    1. User's image
    User's image
Microsoft Security Microsoft Entra Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mallikarjuna Vardham 445 Reputation points Microsoft External Staff Moderator
    2025-06-16T17:25:18.3633333+00:00

    Hello Khedkar, Vidisha,

    Scoping How to define which users are included

    In the Azure Portal during the API-driven provisioning configuration:

    Navigate to Scoping filters or **Target object scope

    You have three options

    All users – all users from the inbound system will be provisioned.

    Selected security groups – only users in those AAD groups will be provisioned.

    Selected organizational units (OUs) – only users in those AD OUs will be targeted for provisioning.

    Refernce: https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-configure#scope-provisioning-to-specific-users-and-groups

    For Attribute Mapping

    Only map the attributes that your API-driven provisioning app needs for creating users in Active Directory.

    Unused or irrelevant mappings can and should be removed to keep the config clean and reduce sync complexity.

    For Attribute Mapping Best practices

    Go to Attribute mapping under your provisioning app.

    You can delete unnecessary mappings by clicking “Delete” on attributes you don’t need.

    Add only the attributes you need for AD user creation such as:

    givenName, sn ,userPrincipalName,mail,employeeId (if needed), manager

    Reference: https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-configure#attribute-mapping

    https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes

    High Availability Configuration for API-driven Provisioning Agent

    Install Multiple Agents (Agent Pooling)

    You can install multiple provisioning agents** on different servers (physical or virtual).

    These agents form an agent pool for a single API-driven provisioning connector. Microsoft Entra automatically load balances and fails over across these agents.

    No Manual Load Balancing Required

    Entra handles automatic selection of available agents.

    If one agent is unreachable, the service will route provisioning calls to the next available agent in the pool.

    Setup Steps for High Availability in API driven

    Provision your first agent via Entra portal and link it to your provisioning connector.

    Install the same agent software on a second (or more) server(s) and register them using the same connector credentials.

    All agents registered to the same connector form the agent pool.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

    User's image

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.