Access Control User Sync Settings (Access Control → Microsoft 365)

Target

• Customers who sync users from HENNGE Access Control to Microsoft Entra ID

Purpose

• This article explains the procedure for manual and periodic sync of user information from HENNGE Access Control to Microsoft Entra ID.

Notes

1. This article is based on the product specifications as of March 2025 and may change without notice thereafter.
2. Global administrator privileges for HENNGE Access Control and Microsoft 365 are required to set up user sync.
3. Please refer to the following article for how to access the Administration.
   How to access the HENNGE Access Control Administration
4. User sync needs to be set up on a domain basis.
5. Before executing user sync, it is necessary to register the required users in HENNGE Access Control in advance.
6. Users created in Microsoft Entra ID through user sync from HENNGE Access Control will not be granted a Microsoft 365 license.
   Please grant a Microsoft 365 license to the administrator after sync if necessary.
7. Once periodic sync is enabled, user information will be synced every hour.
   ※ The sync interval cannot be changed.
8. If you are syncing users from Active Directory to Microsoft Entra ID, this task is not necessary.

Pre-checks

• Change the domain of non-user objects for the domain scheduled for sync.
  Change UPN of non-user objects to onmicrosoft.com domain
• Execute the following steps to ensure that Microsoft Graph PowerShell can be used in your environment.
  Connect to Microsoft365 from Microsoft Graph PowerShell

Procedure

1. Access [Provisioning Settings] from the HENNGE Access Control Administration.

2. Click [ + Add Service ] from the [ SYNC DESTINATION ] menu.

3. Click the target service from the sync service selection screen.
If the following screen is displayed, click [Entra ID].

If the [Use Saved Data] menu is displayed, click [Use Saved Data] and proceed to step 6.
※ This menu is displayed if step 5. [Required Permissions] has been completed.

4. The Microsoft 365 login screen will be displayed, so log in with the global administrator account.

5. The [Required Permissions] screen will be displayed, so click [Accept].

6. Refer to the following to select the domain to sync and change the settings if necessary, then click [Continue].

・Domain
Check the domain to sync.

・Max Allowed Deletions
If a user deletion process exceeding the set percentage is attempted, the process will be canceled to prevent unintended mass user deletions.
Example: If the Max Allowed Deletions is 65%, the process will be canceled if 65% or more of the users are deleted during sync.

7. The Microsoft Graph PowerShell command will be displayed on the screen, so copy the command and execute it with the Microsoft 365 global administrator account.
※ To use the command, please perform the following steps in advance.
Install Microsoft Graph PowerShell SDK
※ This screen will be displayed regardless of whether it has been performed. If you have already performed this task in the past, proceed to step 10.

8. If prompted to log in to Microsoft 365, log in with an account that has global administrator privileges.

9. Confirm that no errors are output in red in the execution result of the Microsoft Graph PowerShell command performed in step 7.
If an error occurs, capture the target error screen and inform the HENNGE One implementation representative / support desk.

10. Once you have confirmed that the Microsoft Graph PowerShell command was executed correctly, click [Continue].

11. Click [Start Dry Run] for each target domain to output the expected user sync results.
※ If there are multiple domains, perform a dry run for each domain.

12. Select [Download Results] and check the downloaded dry run results (CSV file).
※ If there are multiple domains, please check the results for each domain.
※ The dry run does not apply the user deletion tolerance rate, so there is a possibility that a preview of user deletions exceeding the tolerance rate will be output.

13. If there are no issues with the content, click [Continue].

14. Select [Entra ID Periodical Synchronization] or [Sync Now] and click [Execute].
※ When executing [Sync Now], user information synchronization (Add, Delete, Update) is performed immediately, and Microsoft 365 users are updated.
Please execute after confirming that the dry run results are as expected.

Sync Now
Immediately perform user information synchronization (Add, Delete, Update).

Entra ID Periodical Synchronization
Perform periodical synchronization of user information (Add, Delete, Update) from the sync source service to the sync destination service every 1 hour.
※ It is recommended to set this after performing the dry run and Sync Now to confirm that synchronization can be performed as expected.

About Sync (Add, Delete, Update)

• Add: If the user exists only in the sync source service and not in the sync destination service, add the user to the sync destination service.
• Delete: If the user does not exist in the sync source service but exists in the sync destination service, delete the user from the sync destination service.
• Update: If the same user exists in both the sync source and sync destination services and there are differences in items such as family name, display name, etc., update the value in the sync destination service to the value in the sync source.

15. Click [Check the Sync Logs] to check the sync results.
※ If [Entra ID Periodical Execution] is selected, the sync process will not be executed at the stage when periodical sync is enabled, so it will not be displayed in the sync logs.
After enabling periodical sync, user information periodical synchronization is executed every 1 hour, and sync logs are output.
For details on how to check the sync logs, please refer to the following article.
Check the Sync Logs (Modern View)

If you are using multiple domains and want to set user information for another domain later, please refer to the following procedure.
Add a Domain for Access Control User Periodical Sync (Access Control → Microsoft 365)