We have a hybrid Active Directory environment. User account creation must always happen on‑premises in AD, after which the accounts are synchronized to Entra ID via Azure AD Connect / Entra Connect.
However, some security groups only exist in Entra ID. When a role is assigned that includes one of these Entra-only security groups, the system attempts to create the user account directly in Entra ID. This fails, because in our setup the account should not be created in Entra ID first, but in on‑prem AD.
As a result, we get an error whenever such a role is assigned to a user that doesn’t yet exist in Entra ID.
My question:
How can I prevent Entra ID from trying to create user accounts directly in Entra ID in this scenario, and ensure that all user creation is done only in on‑prem AD (with Entra ID just receiving synced accounts)?
Any guidance, best practices, or configuration tips would be greatly appreciated.
You can prevent the EntraID account creation by adding an additional role assignment criteria in your Entra-only security groups role if it is dynamic role. Like source = EntraID, attribute = accountEnabled, operation equals, and value = true to ensure the identity is correlated to an EntraID and it is enabled to assign a role.
If the role is requestable, attach the EntraID entitlement to an access profile and use multiple account options in access profile to add the same criteria, and attach the access profile to the Role.
Apologies, the multiple account option will not work in your case since it triggers only when an identity correlated to multiple accounts and also for dynamic roles, please ignore it.
I would say you can think to handle it in few ways.
Use Before Provisioning Rule: Skip the operation if it is create
Using Workflow:
Trigger: Access Request
Actions: Determine the request type, if it is create, then cancel the request. You may need to invoke SailPoint APIs to perform these operations.
While debugging the issue I have gone through the documentation and SailPoint Harbor Pilot help. I have shared a few potential solutions along with detailed steps in your chat. I haven’t implemented them yet—please try them out and let me know if they resolve your issue.
Solution 1: Disable Provisioning on the Entra ID Source
This will prevent account creation, but also impact other account operation.
Otherwise, you can stop account creation with Before Provisioning Rule or custom Workflow (in which Specific Entra account creation would be prevented)
Hi @zeross I appreciate that this is not answering your question but, if it was me, I would challenge the use case. Ie go back to the Entra admins and say that in hybrid identity mode it would be best practice to use on prem synced groups if they want to use SailPoint as the request tool. You could nest where applicable, but I appreciate that doesn’t work for all Entra use cases.