How to configure Entra ID Provisioning with Agent for Intranet-use?

Question

I need Entra provisioning to run on Intranet with no incoming connection from Microsoft.

I installed the "Microsoft Entra provisioning agent" with extension "On-premises application provisioning (Azure AD to application)" on a local server.

After installation I see the agent below "Cloud sync | Agents" with status "active" in Entra.

When trying to add a "New cloud sync configuration" I have a dropdownlist which is disabled but when I click on "For a list of active agents, click here" it shows my agent, but I cannot select it.

When clicking on "Provisioning" on my enterprise application in Entra I have the following two options:

1. Provisioning mode "Manual" without any other setting and with the "Save" button DISABLED

2. Provisioning mode "Automatic" where I can enter the "Tenant URL", but I don't know which Url i have to enter in this case. The Agent URL does not seem to work (Test connection fails and it also fails when trying to save the configuration). Maybe I am entering it wrong?

I just don't get how I can configure Entra to do provisioning from Entra to my Agent and further to my local application with the SCIM REST endpoint.

Thank you in advance!

Answer 1

SCIM is a REST API-based protocol. Requests for SCIM are performed via HTTP requests (GET, POST, PATCH..) and need an HTTP URL. Even if the application is hosted "on-prem", it needs to have an HTTP server running to handle the HTTP request/response processing. The URL doesn't need to be externally resolvable, but does need to be accessible to the provisioning agent and resolvable via the internal DNS available to the server the agent is running on.