Target
- Administrators performing periodic synchronization of users from Microsoft Entra ID to Access Control
- Administrators who want to add domains to be synchronized
Purpose
- This explains the procedure for customers who are performing periodic synchronization from Microsoft Entra ID to Access Control to add or change domains to be synchronized.
Notes
- This article is based on the product specifications as of March 2025 and may change without notice thereafter.
- Global administrator privileges in Access Control are required to set up user synchronization.
- Please refer to the following article for how to access the Administration.
How to access the Access Control Administration - User synchronization needs to be set up on a domain basis.
- Before executing user synchronization, it is necessary to register the required users in Microsoft Entra ID.
- In user synchronization from Microsoft Entra ID to Access Control, each user's password cannot be synchronized to Access Control.
After user synchronization is complete, it is necessary to set the initial password on the Access Control side. - After enabling periodic synchronization, user information is synchronized between Access Control and Microsoft Entra ID every hour.
- If you are synchronizing users from Active Directory to Microsoft Entra ID, this task is not necessary.
Pre-checks
- For the domain to be synchronized, change the domain of objects other than users.
Change UPN of objects other than users to onmicrosoft.com domain
Procedure
1. Access [Provisioning Settings] from the Access Control Administration.
2. Click [View details] in the [Sync Source] menu.
3. The domains on the tenant will be listed, click [Dry Run] for the domain to be synchronized.
4. Click [Dry Run].
5. The following screen will be displayed, click the × button or [Close].
6. Click [View Audit Log] for the domain to be synchronized.
7. Click the download button in the Action column to check the result of the Dry Run Audit Logs (CSV file).
The result of the audit log will overwrite the previous execution result each time a dry run is executed.
※ The sync request will be deleted approximately 24 hours later.
※ The user deletion tolerance rate is not applied to the dry run, so a preview of user deletions exceeding the tolerance rate may be output.
Please be sure to check the results of the dry run with reference to the following.
If unexpected Add, Delete, or Update users are included in the sync results, press [Cancel] and try again after completing the editing of user information, etc.
If you have any questions, please inform the person in charge.
※ The order of the user list at the time of output of the dry run result cannot be changed.
※ The Immutable ID for each user is displayed in the right column of the output user list.
If Add or Delete is displayed in the dry run result
Please check if the users targeted for Add or Delete are the expected users.
If there are users you want to exclude from Add or Delete, click [Cancel] and try again after registering or deleting user information on the Access Control or Microsoft Entra ID side.
If Update is displayed in the dry run result
Please check if the values of the sync items for the users targeted for Update are as expected.
You can check the update details by comparing the user information registered in Access Control with the user information registered in Microsoft 365.
If there are unexpected users in the Update content, click [Cancel] and try again after editing the user information on the Access Control or Microsoft Entra ID side.
For details on the sync items during user synchronization, please refer to the following article.
What are the sync items for user synchronization with Access Control Microsoft 365?
8. If there are no issues with the content, click [Sync Now] or [Enable Periodical Sync] for the domain you want to target for synchronization.
About Sync Now
User information synchronization (Add, Delete, Update) is performed immediately.
About Enable Periodical Sync
User information is periodically synchronized (Add, Delete, Update) from the source service to the target service every hour.
About Sync (Add, Delete, Update)
- Add: If the user exists only in the sync source service and not in the sync destination service, the user will be added to the sync destination service.
- Delete: If the user does not exist in the sync source service but exists in the sync destination service, the user will be deleted from the sync destination service.
- Update: If the same user exists in both the sync source and sync destination services and there are differences in fields such as last name or display name, the values in the sync destination service will be updated to match the sync source values.
9. If necessary, change the following settings values, then click [Sync Data] or [Enable Periodical Sync].
・Max Allowed Deletions
If a deletion process exceeding the set % is attempted, the process will be canceled to prevent unintended mass user deletions.
Example: If the Max Allowed Deletions is set to 65%, the process will be canceled if 65% or more of the users are deleted during sync.
・UPN Mode
Depending on the settings, the value set as the Username in Access Control will change.
※ The Username in Access Control cannot be changed later.
[When UPN Mode is enabled]
The UserPrincipalName attribute of Microsoft Entra ID is synced as the Username in Access Control.
Example: If the UserPrincipalName attribute of the user is "user@example.com", the Username will be "user@example.com".
[When UPN Mode is disabled]
The value up to the @ of the UserPrincipalName attribute of Microsoft Entra ID is synced as the Username in Access Control.
Example: If the UserPrincipalName attribute of the user is "user@example.com", the Username will be "user".
10. Check the sync log or the status of the periodical sync for the execution results.
If [Sync Data] is executed
The following screen will be displayed, so check the sync log.
For how to check the sync log, please also refer to the following article.
Check the Sync Logs (Modern View)
If [Enable Periodical Sync] is enabled
The following screen will be displayed, so confirm that the [Periodical Sync] column for the target domain is "Enabled".