Entra ID Provisioning Tool
Introduction
This guide shows how to use the IDmelon Entra ID Provisioning Tool, designed to simplify the creation of security keys for users on the Microsoft Entra ID sign-in portal.
Prerequisites
Before you start the passkey provisioning process, ensure the following requirements in Azure Portal -> Entra ID Authentication Methods
are met:
- Mandatory: The
FIDO2 Security Key
must be available in the authentication methods for the targeted users. - Optional: If using automatic provisioning or manual provisioning with TAP, ensure that
Temporary Access Pass
is enabled for the targeted users with theone-time use
option set toYes
.
To get started, ensure you:
- Have Chrome version 119.0.6045.200 or later installed.
- Are using Windows 8 or a newer version.
- Download the IDmelon Provisioning Tool from the Downloads page and save it to a directory.
Single Passkey Provisioning
You can use the tool to provision a single user or multiple users. Follow these steps to provision a single user:
Getting Started
To use the tool to register a Microsoft passkey for users to access their Microsoft accounts, follow these steps:
Open
PowerShell
in the tool’s directory and enter the following command:.\provisioning.exe --register-deeplink
Note: Running this command is required once.
Log in to the IDmelon Admin Panel and navigate to Users -> All Users.
Select the user you want to provision.
Go to the Passkeys tab and from the Add Passkey dropdown, click on Microsoft.
In the first dialog, select the
Use IDmelon Provisioning Tool instead
option.In the next dialog, click the
Next
button.
You have two options for provisioning: Automatic and Manual.
Automatic Provisioning
In the automatic option, the tool performs all the necessary steps to create and assign the passkey. Note that this solution may not be supported in all languages. If you encounter any issues, try the manual mode.
Follow the steps mentioned in the Passkey Provisioning section.
In the provisioning dialog, click the
Create
button.If redirected to the Microsoft login page, log in with a Microsoft admin account.
Note: To automatically assign a passkey to the user, a Temporary Access Pass (TAP) is required. You must log in using an account with sufficient permissions.
A popup will open in the browser. Click on
Open IDmelon Provisioning
.The IDmelon Provisioning Tool will start the provisioning process. A private window will open, and all steps will be completed automatically.
Once finished, the private window will close, and you can also close the IDmelon Provisioning Tool’s window.
Manual Provisioning
If errors occur during automatic provisioning, you can use the manual mode.
Follow the steps mentioned in the Passkey Provisioning section.
In the provisioning dialog, click on
registering manually
.In the next dialog, click the
Create
button.Note: You can optionally request a Temporary Access Pass (TAP) for the user to log in. If so, you may be redirected to the Microsoft login page. Alternatively, you can use the user’s other authentication methods if preferred.
A popup will open in the browser. Click on
Open IDmelon Provisioning
.The IDmelon Provisioning Tool will start the provisioning process. A private window will open. Log in and complete the required steps manually. The tool will detect the security key assignment.
Once finished, the private window will close, and you can also close the IDmelon Provisioning Tool’s window.
Bulk Passkey Provisioning
The tool can be used to register passkeys for users in bulk mode. Follow these steps to provision multiple users:
Getting Started
To use the tool to register a Microsoft passkey for multiple users, follow these steps:
Ensure that you are logged into your workspace at the IDmelon Admin Panel as Owner/Admin with Edit Users Permission.
Open
PowerShell
in the tool’s directory and enter the following command:.\provisioning.exe --login
The tool will guide you through the setup process. Once ready, press Enter.
The tool will open your web browser and redirect you to the Microsoft portal for authorization.
Upon successfully granting access, you will be redirected back to the IDmelon panel, and a success message will be displayed in PowerShell, confirming the successful login.
Note: The credentials remain valid for 12 hours. After this period, you will need to log in again using the procedure described above.
Automatic Bulk Provisioning
The automatic bulk provisioning feature retrieves newly added users who need to be provisioned from the server and performs the provisioning operation for them automatically. Execute the following command to start the process:
.\provisioning.exe --automatic-provision
Note: This operation will repeat for all users needing provisioning. The time required depends on the number of users. To stop the operation at any time, use
Ctrl + C
. You can restart the process for remaining users by re-running the command.Note: If any errors occur during provisioning, the affected users' information will be stored in the
failures.csv
file. You can review this file later to investigate the errors.
Manual Bulk Provisioning
To manually provision selected users, follow these steps:
Log in to the IDmelon Admin Panel and navigate to Users -> All Users.
Select the users you want to provision.
Click the
Export
icon to download a CSV file containing the selected users' information.Place the
users.csv
file in the same directory asprovisioning.exe
.Open
PowerShell
in the directory and enter the following command:.\provisioning.exe --csv .\users.csv
Options
For verbose output, use the following command:
.\provisioning.exe --csv .\users.csv --verbose
To monitor the process in a visible browser window (headful mode), use the following command:
.\provisioning.exe --csv .\users.csv --mode headful
CAUTION: Do not interact with the browser window during the process, as it may disrupt the workflow.
Note: You can chain options to enable both headful mode and verbosity:
.\provisioning.exe --csv .\users.csv --mode headful --verbose
To print the version of the tool, use the
--version
flag:.\provisioning.exe --version
Troubleshooting
SSL Certificate Verification Error
If you encounter an SSL certificate verification error with the message [SSL: CERTIFICATE_VERIFY_FAILED] Certificate verification failed: unable to get the local issuer certificate
, resolve it using either of the following flags:
--disable-ssl-verify
(recommended):.\provisioning.exe --csv users.csv --mode headful --verbose --disable-ssl-verify
--local-ssl-verify
:.\provisioning.exe --csv users.csv --mode headful --verbose --local-ssl-verify
Note: This error might be related to your organization’s network configuration. Try changing the network if possible before using these commands.
Sync User Data Error
If you encounter the error message Failed to retrieve TAP: Sync user data by importing from Azure AD and try again
, you will need to sync the imported users with Microsoft Entra ID from the IDmelon Admin Panel again. This issue is related to Microsoft session management and is not related to IDmelon.