It’s 2026 and somehow I keep finding myself back in 2016, integrating heritage applications into modern Identity & Access Management solutions. I’m still writing connectors that integrate the Microsoft Entra outbound provisioning service with SaaS and legacy on‑premises apps using ECMA connectors.
Once you’re in the develop → test → deploy loop, you’re constantly fixing mappings and expressions, replaying failures, and resyncing accounts. That’s where the Entra Provision On Demand PowerShell module comes in.
Instead of installing the Microsoft Graph PowerShell modules and wiring everything yourself, you get a slim, no‑dependency set of cmdlets to connect to Entra ID, enumerate provisioning‑enabled Enterprise Apps, inspect jobs and rules, and trigger on‑demand provisioning for individual objects or batches. Most of the time you’ll be querying the provisioning logs, finding accounts with sync errors, fixing a rule or expression, and then re‑submitting them via Provision on demand programmatically rather than click‑ops in the Entra portal.
Installation
Available on GitHub and the PowerShell Gallery.
Install from the PowerShell Gallery with:
Install-Module EntraProvisionOnDemandQuick Start
The following example connects to Entra, discovers a provisioning app and job, gets the sync rule, and then provisions a single on‑prem user on demand. There are more examples in the GitHub Repo.
# Import the module
Import-Module EntraProvisionOnDemand
# Connect to Microsoft Graph (interactive)
Connect-EntraProvisioning -TenantId "contoso.onmicrosoft.com"
# Discover your provisioning app
$app = Get-EntraProvisioningApp -DisplayNameFilter "AD to Entra ID" | Select-Object -First 1
# Get the provisioning job
$job = Get-EntraProvisioningJob -ServicePrincipalId $app.Id | Select-Object -First 1
# Get the synchronization rule (required for ECMA/SCIM apps)
$rule = Get-EntraProvisioningRule -ServicePrincipalId $app.Id -JobId $job.JobId | Select-Object -First 1
# Provision a single user
Invoke-EntraProvisionOnDemand -ServicePrincipalId $app.Id -JobId $job.JobId `
-ObjectId "CN=JohnDoe,OU=Users,DC=contoso,DC=com" -RuleId $rule.RuleId
# Disconnect when done
Disconnect-EntraProvisioningCmdlets Overview
Authentication cmdlets
Authentication cmdlets manage the Graph connection used by the module
| Cmdlet | Description |
|---|---|
Connect-EntraProvisioning | Authenticate to Microsoft Graph API |
Disconnect-EntraProvisioning | Clear authentication context |
Test-EntraProvisioningConnection | Verify connection status and permissions |
Discovery cmdlets
Discovery cmdlets help you locate provisioning‑enabled apps, jobs, and rules
| Cmdlet | Description |
|---|---|
Get-EntraProvisioningApp | List Enterprise Applications with provisioning enabled |
Get-EntraProvisioningJob | Get synchronization jobs for an application |
Get-EntraProvisioningJobStatus | Get detailed job status including quarantine info |
Get-EntraProvisioningRule | Get synchronization rule IDs from job schema |
Provisioning cmdlets
Provisioning cmdlets execute on‑demand provisioning for one or many objects
| Cmdlet | Description |
|---|---|
Invoke-EntraProvisionOnDemand | Trigger on-demand provisioning for a single object |
Invoke-EntraProvisionOnDemandBatch | Batch provision from CSV or pipeline with throttling |
Logging cmdlets
Logging cmdlets query provisioning audit logs so you can script your troubleshooting instead of living in the portal
| Cmdlet | Description |
|---|---|
Get-EntraProvisioningLog | Query provisioning audit logs with filtering |
Summary
What started as a script, I turned into a module. A module that I’m using a lot. There are more examples in the GitHub Repo. Hopefully it is helpful to others too.