Just-in-Time Provisioning

Just-in-time (JIT) provisioning is the SSO pattern where a target application creates a user account automatically on first sign-in, populated from claims in the SAML or OIDC assertion. The user doesn't need to be pre-provisioned; they sign in via Entra ID, the assertion's claims tell the app who they are, and the app creates the user record on the fly. Common for apps that don't support SCIM for full lifecycle management. Limitations: JIT typically handles creation but not updates or deprovisioning, so for serious deployments SCIM provisioning is preferable. Many SaaS apps support both — JIT for first-touch convenience plus SCIM for ongoing sync.