How to do Entra (Azure AD) user provisioning for multiple clients as an MSP?

VanGoghJoe1 · ‎03-11-2024

Hi,

We are an MSP using domain sep with multiple clients who are using Microsoft Entra (aka Azure AD) and we would like to integrate with each client's Entra tenant to auto provision their users in our instance.

The document here:
https://learn.microsoft.com/en-us/entra/identity/saas-apps/servicenow-provisioning-tutorial

shows the basic method for setting this up.

However, it requires using a SNOW account that has admin rights. Since this is to integrate with external clients, we don't want to give admin to the application, even one maintained by SNOW, if it is at all avoidable.

Is there a more restricted set of roles we can give the account that would still allow it to work? We can domain the account, but if it has full admin rights that can always be gotten around. Is there at least a way to only give rights during an initial set up phase and then the account can be given more limited rights to do the actual provisioning?

If not, can anyone suggest an alternative method, other than getting the Entra spoke and essentially creating our own custom process?

Thanks!

Kim Sullivan · ‎07-03-2025

I had the same concern a few years ago -- giving out user creds with admin permissions. I did some testing and found out that Entra/AAD user provisioning is using soap. I adjusted the user accounts to only have a set of soap roles. Works like a charm.

SantanuKumar Sa · ‎07-22-2025

Hello Kim what exactly did you do to make it work? can you help me please?

Kim Sullivan · ‎07-22-2025

We create a local user account per client - name it whatever you like. Give this user / password to the client when they are setting up the Azure user provisioning step. These are the roles I give to that user. You could probably pare them down more, but I was happy with this. The roles here are enough for Azure to create/update users in ServiceNow.