JIT User and User Group
synchronization leverages the Entra ID application that is entered for Secure
Application Access. There are additional items that need to be configured to enable
the correct APIs.
Use this task to synchronize users and user groups using
Just-In-Time (JIT) provisioning.
-
In the registered application,
go to the Authentication section. Select ID
tokens under Implicit grant and hybrid
flows.
-
Select Save.
-
Under Token configuration select Add optional
claim and select upn,
family_name, and
given_name.
-
Select Add.
-
If prompted, select the check box to turn on the Microsoft Graph profile
permission and select Add.
-
Select Add groups claim followed by Groups
assigned to the application.
-
Under ID section, select Group ID
and select Add.
-
Under API permissions select Add a
permission.
-
Select Microsoft Graph.
-
Next, choose Application permissions. Under
Select permissions:
-
Filter on Group and select Group.Read.All.
-
Filter on GroupMember and select
GroupMember.Read.All.
-
Filter on User and select User.Read.All.
-
Click Add permissions to add them to the API
permissions list.
-
On the API permissions page, select Grant admin
consent for <Company Name>.
-
Under Overview, scroll to the bottom and select the
Go to Enterprise Applications.
-
Under Manage select Properties and set the
Assignment Required option to
Yes.
-
Select Save.
-
The final step in Entra ID is to assign Users and groups. Under Users
and groups assign all groups that should be leveraged in Universal ZTNA.
-
In Universal ZTNA, go to
.
-
Select the Sync Entra ID Users and User Groups
option.
-
Under Sync Users and User Groups select JIT
(Just-in-time) from the Sync Using
drop-down list.
-
Select Validate.
