User provisioning and deprovisioning is a continuous lifecycle: join → change → leave. When done manually, this process isn’t just time-consuming, but can also lead to delays, inconsistencies, and security risks. Automating the process through Microsoft Entra ID (Azure AD) user provisioning and SCIM can eliminate these risks.
Organizations can automatically create, update, or deactivate user accounts across Microsoft 365, SaaS apps, and line-of-business systems based on HR triggers, group membership, or role changes. With automation in place, you gain:
- Zero-touch account creation and removal
- Automatic assignment of roles, groups, and licenses
- Near real-time deactivation upon termination or offboarding
- Centralized audit logging and compliance visibility
- Reduced risk of orphaned accounts in third-party platforms
This guide walks through how to implement SCIM-based provisioning and deprovisioning in Microsoft Entra ID (Azure AD) , from initial setup to monitoring and compliance controls.
Methods you need when automating user provisioning and deprovisioning with Azure AD and SCIM
Before getting into the methods, make sure the following requirements are in place to avoid errors:
📌 General prerequisites:
- “Microsoft Entra ID Premium (P1 or P2) license.
- Access to the Azure portal (Global Admin or Identity Administrator role)
- SCIM 2.0-compatible SaaS applications (e.g., Slack, Zoom, GitHub, Adobe, Salesforce)
- API endpoints or SCIM tokens for custom integrations
- PowerShell module: Microsoft.Graph
Optional: RMM platform integration (e.g., NinjaOne) to manage endpoint changes
Method 1: Setting up an Enterprise Application with SCIM provisioning in Microsoft Entra ID (Azure AD)
This method uses Entra ID’s provisioning engine to send user details to SaaS apps via SCIM automatically.
📌 Use Cases: Use this when integrating Entra ID with SaaS apps like Zoom, Slack, etc.
Step-by-step:
- Open Microsoft Entra Admin Center > Microsoft Entra ID > Enterprise Apps.
- Click + New Application and select a SCIM-compatible app you want (e.g., GitHub, Dropbox, ServiceNow), and then click on “create”.
- Navigate to the Provisioning tab under the Manage menu.
- Set Provisioning Mode to Automatic.
- Enter the SCIM endpoint URL and Secret Token (provided by SaaS vendor).
- Click Authorize in the Admin Credentials section. You’ll be redirected to the SaaS vendor’s login page (e.g., Dropbox) where you must sign in with an admin account to grant Microsoft Entra access.
- Once authorization is complete, use Test Connection to confirm the setup.
- Under Mappings, define attribute transformations (e.g., userName, emails. value, userPrincipalName).
- Click Save and set Provisioning Status to On.
Azure AD will now auto-provision users based on group membership or directory changes.
Method 2: Using group-based access for dynamic provisioning
This method automatically provisions users to apps based on group membership. When users join or leave groups, access is automatically granted or revoked.
📌 Use Cases: Use this when granting access to apps based on department or role (e.g., all people in the Marketing group get access to Canva).
📌 Prerequisites:
- Security or Microsoft 365 groups in Entra ID
- Enterprise app configured for provisioning
Step-by-step:
- Create or identify a Security Group or Dynamic Group in Entra ID.
- Assign the group to an enterprise SCIM-connected app via Enterprise App > [App name] >Users and Groups > Add Group/group..
- Define dynamic membership rules (e.g., based on department, title, or location).
(Read #1 ⚠️ Things to look out for.)
Example rule:
(user.department -eq "Sales") and (user.accountEnabled -eq true) |
Users who are added to this group (via HR sync or onboarding) are automatically provisioned into the connected app with mapped roles or permissions.
Method 3: Automating with PowerShell and Microsoft Graph for provisioning tasks
This method uses PowerShell scripts and Microsoft Graph API to manage users and provisioning tasks programmatically.
📌 Use Cases: Use this when you’re managing bulk onboarding or offboarding, integrating with HR systems, or needing custom provisioning logic
📌 Prerequisites:
- You must run PowerShell as administrator.
- Microsoft Graph PowerShell SDK
Step-by-step:
Run the following commands:
- Open PowerShell as Admin (Read #2 ⚠️ Things to look out for.)
Install-Module Microsoft.Graph -Scope CurrentUser
|
- Connect to Microsoft Graph with sufficient scopes
Connect-MgGraph -Scopes "User.ReadWrite.All","Group.ReadWrite.All","GroupMember.ReadWrite.All" |
- Create a new user in Azure AD
New-MgUser `
|
- Add user to provisioning group:
# $GroupId = target group's object ID
|
- Disable a user for deprovisioning
Update-MgUser -UserId $UserId -BodyParameter @{ accountEnabled = $false } |
- Remove user from all app groups
Get-MgUserMemberOfAsGroup -UserId $UserId -All | ForEach-Object {
|
📌 Notes:
- Replace placeholder values (like Jane Doe, [email protected], $GroupId, $UserId, and TempPass123!) with your actual tenant data.
- You can’t remove members from dynamic groups. Membership is rule-based.
- Use scheduled or triggered RMM scripts to run these during onboarding or offboarding events.
Method 4: Using CMD and GPO to control local account behavior after cloud deprovisioning
This method ensures local Windows accounts get locked or deleted after a user is deprovisioned from Azure AD to prevent security risks.
📌 Use Cases: Use this when you have Hybrid Azure AD Joined or co-managed devices and you want to lock out access locally post-deprovisioning.
📌 Prerequisites:
- Access to Group Policy
- Domain-joined or hybrid devices
Instructions:
- Disable cached domain logins post-deprovisioning
- Press Win + S and type cmd.
- Right-click Command Prompt, then select Run as administrator.
- Run the following command:
rundll32 netplwiz.dll,ClearAutoLogon |
- Use Group Policy to force logoff or lockout sessions after cloud deactivation (Read #3 ⚠️ Things to look out for.)
- Press Win + R, type gpedit.msc, and click Enter to open the Group Policy Editor.
📌 Note: Use gpmc.msc for Group Policy Management Console on domain controllers.
- Navigate to:
| Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options |
- Find and modify the setting:
| Interactive logon: Number of previous logons to cache |
- Set value to 0
- Schedule shutdown or lockout script for deprovisioned users
- Press Win + S, type cmd or PowerShell, and click Enter to launch the tool.
- Run:
shutdown -l |
Integrate these scripts into the RMM to align endpoint behavior with Azure status.
Method 5: Registry controls for account lifecycle enforcement
This method modifies Windows Registry keys to enforce stricter user session or account removal rules.
📌 Use Cases: Use this if you want fine-grained control on Windows machines (on-prem or hybrid).
📌 Prerequisites:
- Admin access to Registry Editor
⚠️ Warning: Editing the registry can cause system issues. Create a backup before proceeding.
Instructions: (Read #4 ⚠️ Things to look out for.)
- Block persistent cached credentials
- Press Win + R, type regedit, and click Enter to launch the Registry Editor.
- Navigate to:
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
- Find and double-click the value named CachedLogonsCount.
💡 If the value does not already exist, create it manually as a New > String Value (REG_SZ).
- Set its value to 0.
- Close the Registry Editor.
- Track the last successful login for orphaned account detection
- Press Win + R, type regedit, and click Enter to launch the Registry Editor.
- Navigate to:
| HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI |
- Look for the value:
| LastLoggedOnUser |
Use RMM scripts to scan registry values and identify stale or unused accounts for remediation.
Method 6: Monitoring and auditing provisioning events
📌 Use Cases: Use this when tracking provisioning actions for troubleshooting, security, and compliance.
📌 Prerequisites:
- Azure AD Premium with an Exchange Online License
- Unified Audit Log enabled in Microsoft Purview
Instructions:
- Use Azure audit logs to review provisioning activity
- Open PowerShell.
- Install and import the Exchange Online module
Install-Module ExchangeOnlineManagement -Scope CurrentUserImport-Module ExchangeOnlineManagement |
- Connect to Microsoft Purview
Connect-ExchangeOnline
|
- Run the Unified Audit Log search:
Search-UnifiedAuditLog -Operations "Add user", "Delete user", "Update user" |
💡 You may add date filters to control the range:
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -Operations "Add user","Delete user","Update user" |
- Set alerts for provisioning anomalies in Azure
Use Microsoft Sentinel or Microsoft 365 Defender to alert on:
- Excessive user creation
- Unauthorized group membership changes
- Failed SCIM provisioning calls
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| 1. Group assignment misalignment | Users are not provisioned or deprovisioned as expected. | Adjust dynamic group rules or manually update group membership in Groups > [Group Name] > Members. |
| 2. Running PowerShell without elevated rights | PowerShell commands fail with access errors. | Reopen PowerShell as Administrator. |
| 3. GPO misconfigurations | Local users may still log in after being deprovisioned. | Verify settings in gpedit.msc or Group Policy Management Console, and test on a sample machine. |
| 4. Incorrect registry edits | Can cause login issues or system instability | Always back up the registry before changes; undo via .reg file or restore point. |
Additional considerations
Here are critical operational and security considerations you must know about Microsoft Entra ID (Azure AD) SCIM-based deployment:
SCIM throttling
SCIM APIs have rate limits from SaaS vendors. These limits control how many provisioning operations can be processed within a given period.
High volumes can trigger throttling or request rejection, which delays sync.. Always review the vendor’s SCIM rate limits and behavior under load.
Attribute mapping
Microsoft Entra ID (Azure AD)sends user attributes such as name, email, and department to target apps. These must match the app’s expected schema, or provisioning can fail silently or result in misconfigured access.
Use Microsoft Entra ID´s (Azure AD) custom attribute mapping feature to align fields to the SCIM schema. Moreover, test mappings in staging before enabling automatic provisioning.
License assignment
Some apps require a user to have a valid license before provisioning can be completed. Use group-based licensing in Microsoft Entra ID to automate license assignment.
Custom SCIM connectors
For apps that don’t support native SCIM, you can create a bridge using the Azure SCIM Gateway or implement custom integrations with Azure Logic Apps, Azure Functions, or Power Automate.
Security and compliance
Stale accounts pose serious security risks. If deprovisioning is delayed, users may retain access to sensitive systems. To ensure maximum security, use automated deprovisioning triggers and log all access events.
Troubleshooting
Here’s how to identify and resolve common issues in Microsoft Entra ID (Azure AD) SCIM provisioning deployments:
Provisioning delay
Azure AD’s provisioning via SCIM is not real-time. Sync cycles typically run every 20-40 minutes for most enterprise apps, and delays may occur due to throttling or failed API calls. Here’s what you can do:
- Navigate to Azure Portal > Azure AD > Enterprise Applications > [Your App] > Provisioning
- Check:
- Last sync start and end time
- SCIM connection status
- Provisioning logs (check failure causes, retries, and quarantine status).
Users not synced
If users don’t appear in the target app after provisioning:
- Confirm users are assigned to the app:
Azure AD > Enterprise Applications > [App] > Users and Groups
- Verify attribute mapping:
Azure AD > Enterprise App > Provisioning > Mappings
Make sure the group is in scope for provisioning.
Deprovisioning fails
If users remain active in the app after removal, here’s what you need to do:
- Check if the SCIM token is still valid and has delete permissions.
- Some apps disable users by setting active=false rather than deleting them, Check the app’s SCIM schema.
- If necessary, manually remove the user or call the app’s API directly.
PowerShell errors
PowerShell failures are commonly caused by missing Microsoft Graph delegated permissions (scopes), expired tokens, incorrect object IDs, or insufficient Microsoft Entra ID roles. Here’s what you can do:
- Connect to Microsoft Graph with the correct scopes:
Connect-MgGraph -Scopes "User.ReadWrite.All", "Group.ReadWrite.All"
- Check your context:
Get-MgContext
Validate object IDs before passing them to Graph operations.
NinjaOne services
While user lifecycle is controlled in Azure AD and SaaS platforms, NinjaOne strengthens endpoint compliance and enforcement during provisioning and deprovisioning:
| NinjaOne services | How NinjaOne complements provisioning automation with endpoint compliance enforcement |
| Script automation | Trigger local account disablement, lockout, or cleanup when a Microsoft Entra ID (Azure AD) account is deprovisioned. |
| Endpoint visibility | Detect orphaned accounts or machines still logged in under inactive users. |
| Policy enforcement | Push GPO or registry keys that align with SCIM-based access policies. |
| Event monitoring | Alert on local login attempts by disabled or unknown users. |
| Logging and reporting | Provide export audit-ready logs for provisioning-related endpoint actions. |
With NinjaOne, MSPs and IT teams can ensure that cloud identity governance is fully supported by responsive, policy-aligned behavior at the device level.
Quick-Start Guide
Key Features:
– Automatic User Creation: New users in Azure AD are automatically provisioned in NinjaOne.
– Automatic User Deletion: When users are removed from Azure AD, their accounts are deactivated in NinjaOne.
– Group-to-Role Mapping: Assign NinjaOne roles based on Azure AD group memberships.
– SCIM Token Management: Tokens expire after six months and must be regenerated.
Prerequisites:
1. Enable SSO in NinjaOne with Azure AD.
2. Enable SCIM provisioning via a request to NinjaOne Sales.
3. Use Azure AD or Okta as your IdP (other providers are not fully supported).
Setup Steps:
1. Enable SCIM in NinjaOne:
– Navigate to Administration > Accounts > Identity Provider.
– Turn on the Enable SCIM provisioning toggle and generate a SCIM token.
2. Configure SCIM in Azure AD:
– In the Azure Enterprise Application for NinjaOne, go to the Provisioning tab.
– Paste the SCIM token and tenant URL from NinjaOne.
– Map Azure AD attributes to NinjaOne attributes (e.g., userPrincipalName to userName).
3. Group Mapping:
– In NinjaOne, map Azure AD groups to roles under Administration > Accounts > Identity Provider > Group Mapping.
4. Test the Connection:
– Use the Test Connection option in Azure AD to ensure provisioning works correctly.
Important Notes:
– Supported IdPs: Azure AD and Okta are fully supported. Other SCIM-compatible IdPs may work but lack full support.
– User Types: System Administrators cannot be assigned via SCIM and must be created manually in NinjaOne.
– Deactivation vs. Deletion: SCIM deactivates users in NinjaOne but does not delete them. Deleted users must be removed manually if needed.
For detailed instructions, refer to the NinjaOne Dojo articles on SCIM Configuration and SCIM Internal Troubleshooting.
Automating user provisioning and deprovisioning with Microsoft Entra ID (Azure AD) and SCIM
Automating user provisioning and deprovisioning with Microsoft Entra ID (Azure AD)and SCIM improves identity lifecycle management, reduces security risks, and supports compliance. Most importantly, it greatly enhances onboarding and offboarding speed across cloud apps and connected devices.
This guide outlined the key components of a secure, scalable provisioning framework, from configuring Microsoft Entra ID (Azure AD) and SCIM to extending automation with PowerShell and Microsoft Graph. It also covered how to enforce access policies at the endpoint level using CMD scripts, Group Policy, and registry controls, as well as how to monitor and audit identity changes for full visibility.
Finally, we explored how NinjaOne enhances this ecosystem by aligning device behavior with identity policy.
Related topics:
