Microsoft Entra ID

Sync user lists with apps during onboarding

Overview

This guide helps administrators sync their EntraID directory with an application they want to onboard to their organization. Integrating your application with Entra ID automates user management tasks and ensures access rights stay up-to-date.

This registration sets up the following:

1. Endpoint: This is the URL where EntraID sends requests to the onboarded app, acting as a communication point between them.
2. Bearer Token: Used by EntraID to authenticate its requests to the endpoint, ensuring security and authorization.

These components enable seamless synchronization between your application and the EntraID directory.

Create an Endpoint and API Token

Open the Admin Portal from the app being onboarded. Select the "Directory Sync" tab to display a list of Directory Providers. Choose "Entra ID" as your Directory Provider. If the Admin Portal is not accessible from the app, request instructions from the app owner.

Setting up Directory Sync in the admin portal of an app being onboarded: Entra ID selected as the provider, awaiting configuration.

note

If the "Directory Sync" tab is not visible, the feature may not be enabled for your organization. Contact the app owner to enable it via the Scalekit Dashboard: Organizations > Your Organization > Enable Directory Sync.

Click "Configure" after selecting "EntraID" to generate an Endpoint URL and Bearer token for your organization, allowing the app to listen to events and maintain synchronization.

Endpoint URL and Bearer token for your organization.

Adding a New Application in Entra ID

To send user-related updates to the app you want to onboard, create a new app in Microsoft Entra ID

Go to the Microsoft Azure portal and select "Microsoft Entra ID".

Microsoft Entra ID in the Azure portal.

In the "Manage > All applications" tab, click "+ New application".

Adding a new application in Microsoft Entra ID.

Click "+ Create your own application" in the modal that opens on the right.

Creating a new application in Microsoft Entra ID.

Name the app you want to onboard (e.g., "Hero SaaS") and click "Create", leaving other defaults as-is.

Creating a new application in Microsoft Entra ID.

Configure Provisioning

In the "Hero SaaS" app's overview, select "Manage > Provisioning" from the left sidebar.

Configuring provisioning for the "Hero SaaS" app.

Set the Provisioning Mode to "Automatic".

In the Admin Credentials section, set:

• Tenant URL: Endpoint
• Secret Token: Bearer Token generated previously

Setup Provisioning Mode and Admin Credentials.

In the Mappings section, click "Provision Microsoft Entra ID Users" and toggle "Enabled" to "Yes".

Making sure the "Provision Microsoft Entra ID Users" is enabled.

Making sure the "Provision Microsoft Entra ID Users" is enabled.

Close the modal and reload the page for changes to take effect.

Go to "Overview > Manage > Provisioning" and ensure "Provisioning Status" is toggled "On".

Making sure the "Provisioning Status" is toggled "On".

Entra ID is now set up to send events to Hero SaaS when users are added or removed.

Testing User/Group Provisioning

In the Hero SaaS Application, go to "Provision on demand". Input a user name from your user list and click "Provision".

Provisioning a user/group on demand.

Once provisioned, the user should appear in the admin portal, showing how many users have access to the Hero SaaS app.

Group (Admins) provisioned in the admin portal.

note

Provisioning or deprovisioning users can be done from "Manage > User and groups > Add user/group". Microsoft docs state it takes about 40 minutes to successfully send these events to the Hero SaaS App.