Deploy ECMA connector host (if needed)

Implementation Effort: Medium – IT teams must plan, install, and configure the ECMA host service, and validate integration with Entra provisioning agents.

User Impact: Low – This deployment occurs in the backend; end users are not impacted directly and do not need to take action.

Overview

Deploying the Extensible Connectivity Management Agent (ECMA) connector host enables Microsoft Entra provisioning services o to integrate with systems that do not have native connectors. This is particularly useful when organizations need to provision users, groups, or entitlements to custom or legacy applications. The ECMA host acts as a runtime execution engine for provisioning extensions, translating identity operations between Entra ID and target systems. This deployment supports the Zero Trust principle "Verify explicitly" by enabling visibility and control over provisioning to all connected systems, not just those with built-in support. It also supports "Use least privilege access" by allowing granular control of attribute flows and scope of provisioning. If ECMA hosts are not deployed when needed, organizations may face provisioning gaps, orphaned accounts, or manual workarounds that increase the risk of unauthorized access and provisioning errors exploitable by threat actors.

Reference

• Microsoft Entra on-premises application identity provisioning architecture

• Provisioning to on-premises applications using the ECMA connector host