Skip to main content
日本語 简体中文 繁體中文

[Access Control] User Synchronization Settings (Access Control → Microsoft 365)

Target

  • Customers synchronizing users from Access Control to Microsoft Entra ID

Purpose

  • This document explains the procedures for manual and periodic synchronization of user information from Access Control to Microsoft Entra ID.

Notes

  1. The content of this article is based on the product specifications as of August 2025 and may change without notice thereafter.
  2. Global administrator privileges for Access Control and Microsoft 365 are required to configure user synchronization.
  3. Please refer to the following article for how to access the administration console.
    How to access the Access Control administration console
  4. User synchronization needs to be configured on a domain basis.
  5. Before executing user synchronization, it is necessary to register the required users in Access Control in advance.
  6. Users created in Microsoft Entra ID through synchronization from Access Control will not be granted Microsoft 365 licenses.
    Please grant Microsoft 365 licenses to the users as needed after synchronization.
  7. Once periodic synchronization is enabled, user information will be synchronized every hour.
    ※ The synchronization interval cannot be changed.
  8. If you are synchronizing users from Active Directory to Microsoft Entra ID, this procedure is not necessary.

Pre-checks

Procedure

1. Access the [Provisioning Settings] from the Access Control administration console.

2. Click [+ Add Service] under [SYNC DESTINATION].

3. Click the service to be synchronized from the synchronization service selection screen.
If the following screen is displayed, click [Entra ID].

If the [Use saved data] menu is displayed, click [Use saved data] and proceed to step 6.
※ This menu is displayed if step 5. [Required Permissions] has been completed.

4. The Microsoft 365 login screen will be displayed, so log in with a global administrator account.

5. The [Required Permissions] screen will be displayed, so click [Accept].

6. Refer to the following to select the domain to be synchronized and change the settings as needed, then click [Continue].

  • Domain
    Check the domain to be synchronized.
  • MAX ALLOWED DELETIONS
    If a user deletion process exceeding the set rate is attempted, the process will be canceled to prevent unintended mass user deletions.
    Example: If the user deletion tolerance rate is 65%, the process will be canceled if 65% or more of the users are deleted during synchronization.

7. The [Required Permissions] screen will be displayed, so check [Consent on behalf of your organization] and select [Accept].
※ If the screen does not appear and proceeds to the next screen, it is already authenticated, so proceed to the next step.

8. Click [Start Dry Run] for each target domain to output the expected user synchronization results.
※ If there are multiple domains, perform a sync preview for each domain.

9. Select [Download Results] and check the downloaded sync preview results (csv file).
※ If there are multiple domains, check the results for each domain.
※ The user deletion tolerance rate is not applied to the sync preview, so there is a possibility that a preview of user deletions exceeding the tolerance rate will be output.

Please be sure to check the sync preview results with reference to the following.

If unexpected Add, Delete, or Update users are included in the sync results, press [Cancel] and try again after completing the editing of user information.
If you have any questions, please contact your HENNGE One onboarding guide.
※ The order of the user list at the time of sync preview result output cannot be changed.
※ The Immutable ID of each user will be output in the exported user list. 

If Add or Delete is displayed in the sync preview results+

Please check if the users targeted for Add or Delete are the expected users.
If there are users you do not want to target for Add or Delete, click [Cancel] and try again after registering or deleting user information on the Access Control or Microsoft Entra ID side.

If Update is displayed in the sync preview results+

Please check if the values of the sync items for the Update target users are as expected.
You can confirm the update details by comparing the user information registered in Access Control with the user information registered in Microsoft 365.
If there are unexpected users in the Update, click [Cancel] and try again after editing the user information on the Access Control or Microsoft Entra ID side.
For details on the sync items during user synchronization, please refer to the following article.
What are the sync items for user synchronization with Access Control Microsoft 365?
For the procedure to download the user list in Access Control, please refer to the following article.
Download the Access Control user list

Batch export procedure for Microsoft Entra ID user information
You can export Microsoft Entra ID user information in bulk using the following command and use it to check the sync preview results.
※ The operation of this command is based on the specifications of Microsoft Entra ID, so please contact Microsoft for details.
 

1. Launch Microsoft Graph with administrator privileges and execute the following command.
※ If a login dialog is displayed, continue the login process with an account that has Microsoft 365 global administrator privileges.

Connect-MgGraph -Scopes "Domain.ReadWrite.All","Directory.AccessAsUser.All" -ErrorAction Stop

2. Execute the following command.
※ Specify the value of the domain to be synchronized in the part of "*@target domain".
Example: "*@example.com"
※ Specify the export destination path in the part of "arbitrary path".

Get-MgUser -all -Property MailNickname, UserPrincipalName, surname, givenname,DisplayName, OnPremisesImmutableId |Where-Object {$_.UserPrincipalName -like "*@target domain"} | Select-Object MailNickname, UserPrincipalName, surname, givenname, DisplayName, OnPremisesImmutableId | Export-Csv -Path "/arbitrary path/msusers.csv" -NoTypeInformation

 

10. If there are no issues with the content, click [Continue].

11. Select [Entra ID Periodical Synchronization] or [One-Time Synchronization (Sync Now)] and click [Execute].
※ It is recommended to perform a sync preview and Sync Now, confirm that the synchronization was as expected, and then set up periodic synchronization.

  • One-Time Synchronization (Sync Now)
    Immediately perform synchronization (add, delete, update) of user information.
    ※ When [Sync Now] is executed, synchronization (add, delete, update) of user information is performed immediately, and Microsoft 365 users are updated.
    Please execute after confirming that the sync preview is as expected.
  • Entra ID Periodical Synchronization
    Perform periodic synchronization (add, delete, update) of user information from the source service to the destination service every hour.
  • About synchronization (add, delete, update)
    • Add: If a user exists only in the source service and does not exist in the destination service, the user will be added to the destination service.
    • Delete: If a user does not exist in the source service and exists in the destination service, the user in the destination service will be deleted.
    • Update: If the same user exists in both the source and destination services and there are differences in items such as family name, display name, etc., the value in the destination service will be updated to the value in the source service.

12. Click [Check the Sync Logs] to confirm the synchronization results.
※ If [Periodic execution of Entra ID] is selected, synchronization processing will not be performed at the stage when periodic synchronization is enabled, so it will not be displayed in the sync log.
After enabling periodic synchronization, periodic synchronization of user information will be executed every hour, and the sync log will be output.
For details on how to check the synchronization log, please refer to the following article.
Check the sync log (Modern view)
※ Please be sure to contact your HENNGE One onboarding guide/support desk once you have confirmed that user synchronization has been successfully completed.

If you are using multiple domains and need to set up user information for another domain later, please refer to the following steps.
Add a Domain for Regular User Synchronization in Access Control (Access Control → Microsoft 365)