Provision users from EAA

If you are using ​Akamai​ Enterprise Application Access (EAA) identity provider, you can import user accounts from EAA. With automatic provisioning, you can synchronize users' access privileges from your EAA directories to the ​Akamai MFA​ user directory. When the provisioning process is completed, you can then email and invite users to the ​Akamai MFA​ service.
See the EAA guide to learn more.


  • You must have both Enterprise Application Access and ​Akamai MFA​ on the same contract.

  • If you want to send an enrollment email to users provisioned from your MFA directory, make sure each user in this directory has a valid email address. Users who don't have the email attribute field populated in their MFA user profile won't receive the enrollment email.

How to

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Identity & Users > User Provisioning.

  2. Click Add Provisioning (+).

  3. On the User Provisioning page, select EAA provisioning and enter its unique name.


EAA user provisioning is only available if you have Enterprise Application Access on your contract and if you haven't created the EAA user provisioning before.

  1. Click Save and Deploy

  2. On the SCIM provisioning configuration page, scroll down to Directories and click the Associate (clip) icon.

    The list of your existing EAA directories opens.

  3. Select directories you wish to provision and click Associate.

  4. Now, for each directory, select groups for which you want to enable ​Akamai MFA​. Click the Associate (clip) icon.

  5. Click Sync to run the directory synchronization.


The automatic synchronization takes place every six hours. If you want to provision user accounts immediately, you have to sync the changes manually.

On the provisioning configuration page, you can also enable the following settings:

  1. Send enrollment emails. Toggle on to send the enrollment emails to the new users whose accounts were synced up with ​Akamai MFA​. With this setting, new users receive an email with the enrollment link that lets them register their trusted device in the ​Akamai MFA​ service for authentication purposes.

  2. Include Manually Provisioned Users. Toggle on to update the source of provisioning for users already existing in ​​​Akamai MFA​​. With this setting enabled, writes to users and groups not associated with any provisioning method (manually provisioned), will cause them to have their provisioning method point to that EAA integration. This allows the EAA integration to claim ownership of existing users without forcing users to re-enroll if they already have accounts.

  3. Click Save & Deploy.

  4. To update your synced directories or groups after the initial user provisioning, follow these steps:

    1. To add or delete a directory, navigate to Directories and click the Associate (clip) icon.
      The list of the configured directories opens.
    2. Select directories that you want to add or delete, and click the Associate (clip) icon.
    3. To add or delete a group, navigate to the directory that you want to edit, and click the Associate (clip) icon.
      The list of all groups belonging to this directory opens.
    4. Select groups that you want to add or delete, and click the Associate (clip) icon.
    5. Click Save and Deploy.

    This overwrites and saves the latest changes to your ​Akamai MFA​ directory.
    You can perform this task any time you have to update your existing groups and directories.


When you deselect a group of users and sync your directory, all users within that group, along with their enrolled devices, will be removed from ​Akamai​ MFA. This action results in the loss of access to MFA-protected resources for those users.

If you later choose to add the previously deselected group back to ​Akamai​ MFA, users belonging to that group will need to re-enroll in the service.