Blog Post

Microsoft Entra Blog
3 MIN READ

Automate provisioning and governance of your on-premises applications

Joseph Dadzie's avatar
Joseph Dadzie
Icon for Microsoft rankMicrosoft
Feb 08, 2023

I’m excited to announce the general availability of provisioning to on-premises applications using Microsoft Entra Identity Governance. You can now automate provisioning and manage the lifecycle of users in on-premises applications, without requiring any custom code.    

 

Many of you are already using Microsoft Entra Identity Governance to easily provision identities into hundreds of SaaS applications using the built-in connectors. You can now provision identities from Azure Active Directory (Azure AD) directly into on-premises applications that rely on user identities stored in a SQL database, LDAP directory (other than Active Directory Domain Services) or support the SCIM standard for provisioningThis means you can use Microsoft Entra Identity Governance to govern access to on-premises applications with out-of-the-box on-premises connectors and no custom coding required! 

 

Let’s walk through an example of how an organization, Contoso, uses Microsoft Entra Identity Governance to provide access to an on-prem application that manages critical manufacturing processes. The application is deeply embedded in the organization and has been around for years. It doesn’t support modern SCIM APIs for user management, but it does rely on an OpenLDAP server to manage user access. With Microsoft Entra Identity Governance, Contoso can:  

 

  • Increase employee productivity by automating application access. 
  • Manage costs by deploying a cloud-based provisioning solution. 
  • Manage risk by periodically reviewing and revoking access. 

 

 

Contoso governs access to an on-premises manufacturing app that relies on OpenLDAP as a user store.

 

 

In three easy steps, the admins at Contoso enable users to access on-premises applications, while ensuring the necessary governance processes are in place: 

 

1. Configure application access 

 

When employees join the organization, they are marked as hired in Workday and have an account automatically provisioned in Azure AD. The administrators have configured an access package with entitlement management. When a new employee in the manufacturing department is hired, they are automatically assigned access to the manufacturing app through the access package. When employees leave, or change jobs, their assignment is automatically removed, so they can no longer access that application.  

 

There are some users that need time-limited access to the manufacturing app that aren’t in the manufacturing department. To accommodate this requirement, the admins at Contoso have a second policy that allows other employees to request access to the application via an access package. 

 

All users that need access are either automatically granted access or can self-service request the access they need. 

 

 

 

 

 

 

2. Automate provisioning accounts 

 

The manufacturing app is on-premises and doesn’t support modern standards such as SCIM, but it does have an OpenLDAP server used for access control. The administrators use the generic LDAP connector that Azure AD provides and sets up provisioning. Users that are granted access to the manufacturing application through an access package automatically have accounts provisioned.   

 

The admins at Contoso can take advantage of the out of the box LDAP connector and automate provisioning, without needing to modernize their application. 

 

 

3. Periodically review and certify access 

 

The manufacturing app has business critical data and Contoso is required as part of compliance processes to ask employees outside of the manufacturing department to regularly confirm that they need access and provide a justification. The administrators of Contoso set up a multi-stage access review of non-manufacturing users that have access to the app. First, the employee self-attests to requiring access, and then the review is transferred to the application owner for final approval.  Users that do not complete the access review are automatically removed from the application. 

 

Internal and external audit requirements are satisfied as the right access controls and reviews are in place and the “why” access exists can be proven. 

 

 

 

 

Together with Azure AD’s entitlement management, provisioning, and access review capabilities, Contoso is able to provide access to both SaaS and on-premises applications while ensuring governance and security requirements are met. Go enable this new capability today and start governing access to on-prem applications in the same way you do your SaaS applications. 

  

This is just the beginning of on-premises support from Microsoft Entra Identity Governance. We’ll continue to invest more, including the ability to provision using PowerShell, Web Services, and other custom connectors to line of business applications so that customers using Microsoft Identity Manager (MIM) can migrate their provisioning capabilities to Microsoft Entra Identity Governance.

 

We love hearing from you, so share your feedback on these new features through the Azure forum or by tagging @AzureAD on Twitter.  

 

 

Joseph Dadzie, Partner Director Product Management

Twitter: @joe_dadzie

LinkedIn: @joedadzie

 

 

Learn more about Microsoft identity: 

Updated Feb 03, 2023
Version 1.0
  • MikeCrowley's avatar
    MikeCrowley
    Iron Contributor

    LLtoppled , As stated in the article, you cannot provision back to AD with this solution, which has been a disappointing elephant in the room since it was announced in preview a while back. You can however write-back to AD with AAD Connect for groups, and if you want to write-back users, you can use Power Automate or Azure Hybrid workers. Additionally, if you have one of the supported HR platforms, you can write back from them via AAD Connect as well.

     

    Also, lol that Azure AD isn't yet a "true IAM solution". 

  • LLtoppled's avatar
    LLtoppled
    Copper Contributor

    This sounds really interesting. Is Entra evolving to become a true IAM-Solution?

    I want to automate the provisioning of onPrem AD Users from an HR application which sync to the cloud (typical Hybrid). Right now I need a 3rd party solution or use a 3rd party solution or MiM (which is still supported but has had EoL announced and moved back multiple times) to provide this functionality. If Entra were able to do it.... . Now that would be something! :lol:

  • Dan_B1135's avatar
    Dan_B1135
    Copper Contributor

    I'll call out what someone else here has as well because it really undermines the overall solution and that is provisioning from AAD > AD. 

  • LLtoppled's avatar
    LLtoppled
    Copper Contributor

    MikeCrowley: Hi Mike, thanks for your insights - I will make sure to dig into the topics you mentioned to get a better understanding of the different solutions.

     

    I probably should have phrased it better regarding the IAM topic. 

  • Oyvind_Balk's avatar
    Oyvind_Balk
    Copper Contributor

    I like the statement in this article: "We’ll continue to invest more, including the ability to provision using PowerShell, Web Services, and other custom connectors to line of business applications so that customers using Microsoft Identity Manager (MIM) can migrate their provisioning capabilities to Microsoft Entra Identity Governance".

    We are using MIM for all automation of employees in a Office 365 hybrid solution with about 20,000 employees and look into the API-Driven provisioning to migrate MIM to Entra ID Governance. We will need as I understand to use our on-premises AD as the source of truth for all our users with sync to Azure AD. As long there are no available solution for full sync from Azure AD to on-premises AD.

    I will be happy to know when this will be come a reality.