Entra Provision On Demand PowerShell Module

It’s 2026 and somehow I keep finding myself back in 2016, integrating heritage applications into modern Identity & Access Management solutions. I’m still writing connectors that integrate the Microsoft Entra outbound provisioning service with SaaS and legacy on‑premises apps using ECMA connectors.

Once you’re in the develop → test → deploy loop, you’re constantly fixing mappings and expressions, replaying failures, and resyncing accounts. That’s where the Entra Provision On Demand PowerShell module comes in.

Instead of installing the Microsoft Graph PowerShell modules and wiring everything yourself, you get a slim, no‑dependency set of cmdlets to connect to Entra ID, enumerate provisioning‑enabled Enterprise Apps, inspect jobs and rules, and trigger on‑demand provisioning for individual objects or batches. Most of the time you’ll be querying the provisioning logs, finding accounts with sync errors, fixing a rule or expression, and then re‑submitting them via Provision on demand programmatically rather than click‑ops in the Entra portal.

Installation

Available on GitHub and the PowerShell Gallery.

Install from the PowerShell Gallery with:

Install-Module EntraProvisionOnDemand

Quick Start

The following example connects to Entra, discovers a provisioning app and job, gets the sync rule, and then provisions a single on‑prem user on demand. There are more examples in the GitHub Repo.

# Import the module
Import-Module EntraProvisionOnDemand

# Connect to Microsoft Graph (interactive)
Connect-EntraProvisioning -TenantId "contoso.onmicrosoft.com"

# Discover your provisioning app
$app = Get-EntraProvisioningApp -DisplayNameFilter "AD to Entra ID" | Select-Object -First 1

# Get the provisioning job
$job = Get-EntraProvisioningJob -ServicePrincipalId $app.Id | Select-Object -First 1

# Get the synchronization rule (required for ECMA/SCIM apps)
$rule = Get-EntraProvisioningRule -ServicePrincipalId $app.Id -JobId $job.JobId | Select-Object -First 1

# Provision a single user
Invoke-EntraProvisionOnDemand -ServicePrincipalId $app.Id -JobId $job.JobId `
    -ObjectId "CN=JohnDoe,OU=Users,DC=contoso,DC=com" -RuleId $rule.RuleId

# Disconnect when done
Disconnect-EntraProvisioning

Cmdlets Overview

Authentication cmdlets

Authentication cmdlets manage the Graph connection used by the module

Cmdlet	Description
Connect-EntraProvisioning	Authenticate to Microsoft Graph API
Disconnect-EntraProvisioning	Clear authentication context
Test-EntraProvisioningConnection	Verify connection status and permissions

Discovery cmdlets

Discovery cmdlets help you locate provisioning‑enabled apps, jobs, and rules

Cmdlet	Description
Get-EntraProvisioningApp	List Enterprise Applications with provisioning enabled
Get-EntraProvisioningJob	Get synchronization jobs for an application
Get-EntraProvisioningJobStatus	Get detailed job status including quarantine info
Get-EntraProvisioningRule	Get synchronization rule IDs from job schema

Provisioning cmdlets

Provisioning cmdlets execute on‑demand provisioning for one or many objects

Cmdlet	Description
Invoke-EntraProvisionOnDemand	Trigger on-demand provisioning for a single object
Invoke-EntraProvisionOnDemandBatch	Batch provision from CSV or pipeline with throttling

Logging cmdlets

Logging cmdlets query provisioning audit logs so you can script your troubleshooting instead of living in the portal

Cmdlet	Description
Get-EntraProvisioningLog	Query provisioning audit logs with filtering

Summary

What started as a script, I turned into a module. A module that I’m using a lot. There are more examples in the GitHub Repo. Hopefully it is helpful to others too.