Hi everyone! I'm looking for advice on how to create users in our on-premises Active Directory using third-party software that our HR department can operate. Currently, we're only integrated with Entra ID and ADFS, but we prefer not to use ADFS for various security reasons. Unfortunately, Entra ID doesn't support write-backs.
While I could set up a PowerShell script with an Azure hybrid runbook to create the users, I'm also tasked with moving towards a zero trust network. Budget constraints are a concern, so creating a dedicated VM for this task isn't feasible right now. I'm also curious about the relevance of jump servers in 2025 for executing scripts against AD, and whether it's a sound approach since I don't want to install agents on my domain controllers and run the scripts directly there. Any insights would be greatly appreciated!
3 Answers
Consider creating an enterprise app that has the necessary permissions for the required API. Just make sure to set up authentication with a certificate. That way, you won't need to run those scripts from your internal server.
What HR system are you using? If it's one of the major platforms like Workday, there's an Enterprise App designed for integration with Entra ID that can help with this. Check out the inbound provisioning capabilities!
You might want to explore API-based user provisioning in Entra ID. It could streamline the user creation process without relying too heavily on your infrastructure.
Yes, we are looking into the inbound provisioning API of Entra ID as a potential solution.