# AP Profiles

AP Profiles define how users authenticate and how applications are assigned within WorkSpaces Manager. Profiles can be linked either to traditional on-premises Active Directory groups or to Microsoft Entra ID groups.

There are two main profile categories:

1. **Local Active Directory Groups**
2. **Microsoft Entra ID Groups (Cloud or Synced)**

## Local Active Directory Groups

Local Active Directory AP Profiles are designed for environments where users and groups are managed directly from an on-premises Active Directory domain.

These AP profiles allow administrators to:

* Assign WorkSpaces Images/Bundles based on AD security groups
* Select Encryption Keys for system and user volumes
* Choose tags to be automatically assigned
* Reuse current organizational units and permissions

## Microsoft Entra ID Groups

Microsoft Entra ID AP Profiles are intended for cloud-based identity management scenarios. These profiles support both:

* Native cloud-only Entra ID groups
* Hybrid synchronized groups from Active Directory using Azure AD Connect / Entra Connect

This model enables centralized identity management across cloud and hybrid environments.

## Configuration

You can enable **Auto-Provisioning of WorkSpaces** by adding users to an [Active Directory group](/admin/appendices/ad-group-mapping.md) and configuring WorkSpaces Manager to read users from that group. To start, select **Add Profile**.

<figure><img src="/files/KyghhvM8mvB6Ir3ys1P8" alt=""><figcaption></figcaption></figure>

{% hint style="info" %}
When Auto-Provision is enabled, the service will poll the Active Directory groups every **15 minutes** for new members.
{% endhint %}

The following information is required to create and configure an **Auto-Provision (AP) Profile**:

* **Group Name** – Specify the Active Directory or Entra ID group used for provisioning.
* **Account** – Select the AWS account where the WorkSpaces will be created (if multiple accounts are configured).
* **Region** – Select the AWS Region for the WorkSpaces.
* **Directory** – Select the WorkSpaces directory (AWS Directory Services or AD Connector).
* **Bundle** – Select the WorkSpaces bundle.
* **Running Mode** – Select the desired running mode.
* **Tags** – Select the profile tags to be automatically applied.
* **Encryption** – Enable or disable root and user volume encryption. Keys are specified on the Directory.
* **Directories** – Enable or Disable the use of multiple directories. When enabled, Auto-Provision selects the directory with the highest available IP capacity when creating a WorkSpace.
* **Termination** – Enable or disable termination on group removal.
* **IdP Groups** – Allows to use Entra ID Groups, but it requires to set up also Microsoft Graph Settings to access Entra ID in Azure. More information [here](/admin/configuration-section/settings/enterprise/microsoft-graph-entra-settings.md).
* [Temporary Provisioning](/admin/appendices/temporary-workspaces.md): Define how many days the WorkSpace remains active before automatic termination, and how many days prior to termination users are notified.

{% hint style="warning" %}
Removing a user from an AD group **does not automatically terminate** the WorkSpace by default. Termination on group removal will only occur if the **Terminate on Group Removal** option is enabled *and* the WorkSpace has the **`Automation - Managed`** tag applied.
{% endhint %}

{% hint style="danger" %}
You will only be allowed to add "Fixed Tags" in Profile Tags once you’ve saved the Auto-Provision profile. If you go back to edit this profile, you can then add the Fixed Tags.
{% endhint %}

<figure><img src="/files/doEw5bXZXveI3r7NvXD4" alt=""><figcaption></figcaption></figure>

WSM uses **Directory Selection Behaviour**, where when **Use Multiple Directories** is enabled, you can select one or more directories for provisioning. The service then evaluates the selected directories based on available IP capacity and chooses the most suitable option. If provisioning fails due to capacity constraints, it automatically retries using the next best directory, and all attempts are logged for audit and troubleshooting purposes.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.nuvens.cloud/admin/configuration-section/ap-profiles.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.