Provision users from EAA

If you are using ‚ÄčAkamai‚Äč Enterprise Application Access (EAA) identity provider, you can import user accounts from EAA. With automatic provisioning, you can synchronize users' access privileges from your EAA directories to the ‚ÄčAkamai MFA‚Äč user directory. When the provisioning process is completed, you can then email and invite users to the ‚ÄčAkamai MFA‚Äč service.
See the EAA guide to learn more.


  • You must have both Enterprise Application Access and ‚ÄčAkamai MFA‚Äč on the same contract.

  • If you want to send an enrollment email to users provisioned from your MFA directory, make sure each user in this directory has a valid email address. Users who don't have the email attribute field populated in their MFA user profile won't receive the enrollment email.

How to

  1. In the Enterprise Center navigation menu, select Multi-factor Authentication > Identity & Users > User Provisioning.

  2. Click Add Provisioning (+).

  3. On the User Provisioning page, select EAA provisioning and enter its unique name.


EAA user provisioning is only available if you have Enterprise Application Access on your contract and if you haven't created the EAA user provisioning before.

  1. Click Save and Deploy

  2. On the SCIM provisioning configuration page, scroll down to Directories and click the Associate (clip) icon.

    The list of your existing EAA directories opens.

  3. Select directories you wish to provision and click Associate.

  4. Now, for each directory, select groups for which you want to enable ‚ÄčAkamai MFA‚Äč. Click the Associate (clip) icon.

  5. Click Sync to run the directory synchronization.


The automatic synchronization takes place every six hours. If you want to provision user accounts immediately, you have to sync the changes manually.

On the provisioning configuration page, you can also enable the following settings:

  1. Send enrollment emails. Toggle on to send the enrollment emails to the new users whose accounts were synced up with ‚ÄčAkamai MFA‚Äč. With this setting, new users receive an email with the enrollment link that lets them register their trusted device in the ‚ÄčAkamai MFA‚Äč service for authentication purposes.

  2. Include Manually Provisioned Users. Toggle on to update the source of provisioning for users already existing in ‚Äč‚Äč‚ÄčAkamai MFA‚Äč‚Äč. With this setting enabled, writes to users and groups not associated with any provisioning method (manually provisioned), will cause them to have their provisioning method point to that EAA integration. This allows the EAA integration to claim ownership of existing users without forcing users to re-enroll if they already have accounts.

  3. Click Save & Deploy.

  4. To update your synced directories or groups after the initial user provisioning, follow these steps:

    1. To add or delete a directory, navigate to Directories and click the Associate (clip) icon.
      The list of the configured directories opens.
    2. Select directories that you want to add or delete, and click the Associate (clip) icon.
    3. To add or delete a group, navigate to the directory that you want to edit, and click the Associate (clip) icon.
      The list of all groups belonging to this directory opens.
    4. Select groups that you want to add or delete, and click the Associate (clip) icon.
    5. Click Save and Deploy.

    This overwrites and saves the latest changes to your ‚ÄčAkamai MFA‚Äč directory.
    You can perform this task any time you have to update your existing groups and directories.