In Microsoft Entra ID, application provisioning refers to the automated creation, maintenance, and removal of user identities and roles in cloud (SaaS) applications.
Provisioning ensures that users receive the correct access when they join, change roles, or leave the organization. A common example is automatically provisioning a Microsoft Entra user into applications such as Dropbox, Salesforce, or ServiceNow.
What application provisioning includes
Updating user attributes when changes occur.
Assigning or removing roles and group memberships.
Disabling or deleting accounts when users leave.
This lifecycle automation reduces administrative effort and security risk.
Key capabilities of application provisioning
Automate provisioning, creating accounts automatically when users join.
Automate deprovisioning, disabling or removing accounts when users leave.
Synchronize identity data, keeping apps aligned with directory or HR data.
Provision groups, when the target application supports group provisioning.
Govern access, by monitoring who has been provisioned.
Support brownfield scenarios, by matching existing accounts instead of recreating them.
Customize attribute mappings, controlling which attributes flow to target apps.
Generate alerts, including Log Analytics integration for custom alerting.
These features make provisioning a governance control, not just a convenience feature.
Manual vs automatic provisioning
Applications in the Microsoft Entra ID App Gallery support either manual or automatic provisioning.
Manual provisioning
Manual provisioning means there is no Microsoft Entra provisioning connector available for the application.
User accounts must be created manually.
Methods may include using the app’s admin portal or uploading spreadsheets.
Provisioning behavior depends on the app’s own tooling.
Automatic provisioning
Automatic provisioning means a Microsoft Entra provisioning connector exists for the application.
You follow a setup tutorial to enable provisioning.
Microsoft Entra handles user lifecycle automatically.
Gallery apps that support automatic provisioning are marked with a Provisioning icon.
The provisioning mode is also visible on the Provisioning tab of the enterprise application after it is added.
System for Cross-domain Identity Management (SCIM)
Provisioning is difficult because every application historically implemented user management APIs differently.
The System for Cross-domain Identity Management (SCIM) specification solves this problem by defining:
A common user and group schema.
Standard REST-based endpoints.
Consistent behavior for create, update, and delete operations.
SCIM is increasingly becoming the standard protocol for provisioning.
When SCIM is combined with SAML or OpenID Connect, administrators gain a complete, standards-based access management solution.
SCIM endpoints and behavior
/Users, for managing user identities.
/Groups, for managing group memberships.
SCIM uses REST verbs such as POST, PUT, PATCH, and DELETE and a predefined schema that includes:
Username.
First name.
Last name.
Email address.
Group name.
Applications that expose a SCIM 2.0 REST API can integrate easily with Microsoft Entra ID and other SCIM-compliant clients.
Building a SCIM endpoint for provisioning
Application developers can implement a SCIM endpoint to support automatic provisioning with Microsoft Entra ID.
Eliminating the need for proprietary APIs.
Immediate compatibility with SCIM clients.
Ability to reuse open-source SCIM libraries.
Instead of building a custom provisioning system from scratch, developers can rely on the SCIM standard and community tooling.