MineTrust Provisioner

• MineTrust Provisioner
  • Overview
    • File-Based Provisioning
    • Azure AD Data Pump
  • Architecture
    • Deployment Models
    • Authentication
  • Extensibility
  • Installation

MineTrust Provisioner is an optional background service that automates the provisioning of users, roles, and permissions into a MineTrust environment. It eliminates the need for manual identity management by bridging external data sources with the MineTrust Server API.

Overview

MineTrust Provisioner runs as a Windows Service alongside MineTrust Server and supports two provisioning mechanisms:

File-Based Provisioning

A configurable file watcher monitors a designated directory (typically a network share) for .xml or .json files containing serialised MineTrust entity definitions. When files are detected:

1. Files are loaded and deserialised into typed entity objects (users, roles, folder permissions)
2. Relational dependencies between entities are validated and resolved
3. Existing entities are updated by name; new entities are created
4. Processed files are archived to a succeeded or failed directory for auditability

This mechanism supports provisioning of users, roles, and folder permissions, and is extensible to additional entity types.

Azure AD Data Pump

An automated integration with Microsoft Entra ID (formerly Azure Active Directory) that synchronises user identities into MineTrust:

• Queries Azure AD via the Microsoft Graph API on a configurable polling interval
• Automatically creates MineTrust user accounts for Azure AD users whose MineTrustOnlineServiceID attribute matches the target environment
• Maps Azure AD attributes (display name, user ID) to MineTrust user fields
• Assigns a configurable default role (e.g. Contributor) to newly provisioned users
• Disables MineTrust accounts for users no longer present in Azure AD, and re-enables accounts for returning users
• Supports multi-service environments – users may be provisioned across multiple MineTrust instances via a semicolon-delimited service ID attribute

Architecture

MineTrust Provisioner is built on .NET and runs as a background service. It communicates with MineTrust Server over its REST API using OAuth 2.0 client credentials (daemon/service authentication).

Deployment Models

• On-Premise: installed as a Windows Service on the same application server as MineTrust Server
• Cloud-Hosted (Azure): deployed as a sidecar container alongside MineTrust Server on Azure Container Instances

Authentication

The Provisioner authenticates to MineTrust Server using one of the following schemes:

• Microsoft Entra ID: OAuth 2.0 client credentials flow with a dedicated app registration and provisioner_access app role
• Microsoft Entra External ID (B2C): B2C tenant client credentials
• Basic Authentication: available in development environments only

Extensibility

MineTrust Provisioner is designed around a plugin architecture:

• Custom entity handlers: extend file-based provisioning to support additional entity types
• Auxiliary workers: implement custom provisioning pipelines (the Azure AD data pump is itself an auxiliary worker plugin)

Installation

Local installation of MineTrust Provisioner is supported via MSI, which may be executed interactively or non-interactively.

For non-interactive installations, please refer to Installation.