Grant access to the inbound provisioning API (Public preview)


After you've configured API-driven inbound provisioning app, you need to grant access permissions so that API clients can send requests to the provisioning /bulkUpload API and query the provisioning logs API. This tutorial walks you through the steps to configure these permissions.

Depending on how your API client authenticates with Microsoft Entra ID, you can select between two configuration options:

Configure a service principal

This configuration registers an app in Microsoft Entra ID that represents the external API client and grants it permission to invoke the inbound provisioning API. The service principal client ID and client secret can be used in the OAuth client credentials grant flow.

  1. Log in to Microsoft Entra admin center ( with at least Application Administrator login credentials.
  2. Browse to Microsoft Entra ID -> Applications -> App registrations.
  3. Click on the option New registration.
  4. Provide an app name, select the default options, and click on Register. Screenshot of app registration.
  5. Copy the Application (client) ID and Directory (tenant) ID values from the Overview blade and save it for later use in your API client. Screenshot of app client ID.
  6. In the context menu of the app, select Certificates & secrets option.
  7. Create a new client secret. Provide a description for the secret and expiry date.
  8. Copy the generated value of the client secret and save it for later use in your API client.
  9. From the context menu API permissions, select the option Add a permission.
  10. Under Request API permissions, select Microsoft Graph.
  11. Select Application permissions.
  12. Search and select permission AuditLog.Read.All and SynchronizationData-User.Upload.
  13. Click on Grant admin consent on the next screen to complete the permission assignment. Click Yes on the confirmation dialog. Your app should have the following permission sets. Screenshot of app permissions.
  14. You're now ready to use the service principal with your API client.
  15. For production workloads, we recommend using client certificate-based authentication with the service principal or managed identities.

Configure a managed identity

This section describes how you can assign the necessary permissions to a managed identity.

  1. Configure a managed identity for use with your Azure resource.

  2. Copy the name of your managed identity from the Microsoft Entra admin center. For example: The screenshot below shows the name of a system assigned managed identity associated with an Azure Logic Apps workflow called "CSV2SCIMBulkUpload".

    Screenshot of managed identity name.

  3. Run the following PowerShell script to assign permissions to your managed identity.

    Install-Module Microsoft.Graph -Scope CurrentUser
    Connect-MgGraph -Scopes "Application.Read.All","AppRoleAssignment.ReadWrite.All,RoleManagement.ReadWrite.Directory"
    Select-MgProfile Beta
    $graphApp = Get-MgServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
    $PermissionName = "SynchronizationData-User.Upload"
    $AppRole = $graphApp.AppRoles | `
    Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
    $managedID = Get-MgServicePrincipal -Filter "DisplayName eq 'CSV2SCIMBulkUpload'"
    New-MgServicePrincipalAppRoleAssignment -PrincipalId $managedID.Id -ServicePrincipalId $managedID.Id -ResourceId $graphApp.Id -AppRoleId $AppRole.Id
    $PermissionName = "AuditLog.Read.All"
    $AppRole = $graphApp.AppRoles | `
    Where-Object {$_.Value -eq $PermissionName -and $_.AllowedMemberTypes -contains "Application"}
    $managedID = Get-MgServicePrincipal -Filter "DisplayName eq 'CSV2SCIMBulkUpload'"
    New-MgServicePrincipalAppRoleAssignment -PrincipalId $managedID.Id -ServicePrincipalId $managedID.Id -ResourceId $graphApp.Id -AppRoleId $AppRole.Id
  4. To confirm that the permission was applied, find the managed identity service principal under Enterprise Applications in Microsoft Entra ID. Remove the Application type filter to see all service principals. Screenshot of managed identity principal.

  5. Click on the Permissions blade under Security. Ensure the permission is set. Screenshot of managed identity permissions.

  6. You're now ready to use the managed identity with your API client.

Next steps