Assigning Azure AD licenses as birthright access

Regular Contributor II
Regular Contributor II

Hi Everyone,

We have the following use case:

We have on-prem AD where Saviynt provisions all new users as target system. This on-prem AD syncs accounts to AzureAD every 30 minutes. Then we reconcile AzureAD to get the synced accounts into Saviynt.

The scenario is that we have to provision SKU as birthright into AzureAD account on any new user creation. But we do not want to create a user in AzureAD but only provision SKU as entitlement to reconciled account once it is synced from On-Prem AD to Azure AD.

How will we accomplish assigning the SKU license as birthright for new users if we have this +- 15 - 20 minutes sync time etc
Operation should perform automatically.

Any ideas will be greatly appreciated.


Regular Contributor III
Regular Contributor III

Hi @SumathiSomala ,

You could create an actionable analytic where the action would be provision access for that entitlement. The analytic would detect if the user has a corresponding Azure AD account without the access that had been reconciled, and if there was a task for AD On Prem that was executed and completed successfully for the user in the last x hours. This analytic can be scheduled to be run every 2 hours or based on whatever your user import frequency is that creates the On Prem AD Account.




Tables that need to be utilized: users, user_accounts, accounts, arstasks

Configuring Allowed Actions (


Md Armaan Zahir

Regular Contributor II
Regular Contributor II

Thanks for the quick response @armaanzahir 

Can You help with the sample Query?

and is this report assigned to analytics owner or will it complete automatically? 

How can i assign different entitlements to different users?