Skip to main content
日本語 简体中文 繁體中文

[Access Control] User Sync Settings (Microsoft Entra ID → Access Control)

Target

  • Customers who sync users from Microsoft Entra ID to Access Control

Purpose

  • This document explains the procedure for manual and periodic synchronization of user information from Microsoft Entra ID to Access Control.

Notes

  1. The content of this article is based on the product specifications as of April 2025 and may change without notice.
  2. Setting up user synchronization requires global administrator privileges for Access Control and a Microsoft 365 global administrator.
  3. Please refer to the following article for how to access the Administration.
    How to access the HENNGE Access Control Administration
  4. User synchronization needs to be set up on a domain basis.
  5. Before executing user synchronization, it is necessary to register the required users in Microsoft Entra ID.
  6. User passwords from Microsoft Entra ID are not synced to Access Control.
    After user synchronization is complete, be sure to set the initial password on the Access Control side.
  7. Once periodic sync is enabled, user information will be synced every hour.
    ※ The sync interval cannot be changed.
  8. If you are syncing users from Active Directory to Microsoft Entra ID, this task is not necessary.

Pre-checks

Procedure

1. Access [Provisioning Settings] from the HENNGE Access Control Administration.

2. Select [+ Add Service] in the [Sync Source] menu.

3. Select the service to be synced from the sync service selection screen.
If you create a new sync setting, select [Entra ID].

If the [Use Saved Data] menu is displayed, select [Use Saved Data] and proceed to step 6.
※ This menu is displayed if step 5. [Required Permissions] has been completed.

4. The Microsoft 365 login screen will be displayed, so log in with a global administrator account.

5. The [Required Permissions] screen will be displayed, so select [Accept].

6. Check the domain to be synced, set the UPN Mode and Max Allowed Deletions, and click [Continue].

・Domain
Check the domain to be synced.

・Max Allowed Deletions
If a user deletion process exceeding the set percentage is attempted, the process will be canceled to prevent unintended mass user deletions.
Example: If the Max Allowed Deletions is 65%, the process will be canceled if 65% or more of the users are deleted during synchronization.

・UPN Mode
Depending on the setting, the value set for the Username in Access Control will change.
※ The Username in Access Control cannot be changed later.

【When UPN Mode is enabled】
The UserPrincipalName attribute of Microsoft Entra ID is synced as the Username in Access Control.
Example: If the UserPrincipalName attribute of the user is "user@example.com", the Username will be "user@example.com".
【When UPN Mode is disabled】
The value up to @ of the UserPrincipalName attribute of Microsoft Entra ID is synced as the Username in Access Control.
Example: If the UserPrincipalName attribute of the user is "user@example.com", the Username will be "user".

 

7. The Microsoft Graph PowerShell command will be displayed on the screen, so copy the command and execute it with a Microsoft 365 global administrator account.
※ This screen is displayed regardless of whether it has been executed or not.
If this task has been completed in the past, proceed to step 10.

8. If prompted to log in to Microsoft 365, log in with an account that has global administrator privileges.

9. Confirm that no errors are output in red in the execution results of the Microsoft Graph PowerShell command performed in step 7.
If an error occurs, please refer to the following article.
Error Message Collection Microsoft Graph PowerShell
※ If the issue is not resolved, capture the error screen and inform the HENNGE One implementation representative/support desk.

10. Once you have confirmed that the Microsoft Graph PowerShell command was executed correctly, select [Continue].

11. Click [Start Dry Run] for each sync target domain to output the expected user sync results.
※ If there are multiple domains, please perform a dry run for each domain.

12. Select [Download Results] and check the downloaded dry run results (CSV file).
※ If there are multiple domains, please check the results for each domain.
※ The user deletion tolerance rate is not applied to the dry run, so there is a possibility that a preview of user deletions exceeding the tolerance rate will be output.

Please be sure to check the dry run results with reference to the following.
If unexpected Add, Delete, or Update users are included in the sync results, press [Cancel] and try again after completing the editing of user information, etc.
If you have any questions, please inform the HENNGE One implementation support representative.
※ The order of the user list at the time of dry run result output cannot be changed.
※ The Immutable ID for each user is displayed in the right column of the output user list. 

If Add or Delete is displayed in the dry run results

Please confirm whether the users targeted for Add or Delete are the expected users.
If there are users you want to exclude from Add or Delete, click [Cancel] and try again after registering or deleting user information on the Access Control or Microsoft Entra ID side.

If Update is displayed in the dry run results

Please confirm whether the values of the sync items for the users targeted for Update are as expected.
You can confirm the update details by comparing the user information registered in Access Control with the user information registered in Microsoft 365.
If there are unexpected users in the Update content, click [Cancel] and try again after editing the user information on the Access Control or Microsoft Entra ID side.
For details on the sync items during user sync, please refer to the following article.
What are the sync items for user sync with Access Control Microsoft 365?

13. If there are no issues with the content, click [Continue].

14. Select [Entra ID Periodical Synchronization] or [Sync Now], check the displayed precautions, and if there are no issues, check the checkbox and click [Execute].
※ It is recommended to enable after performing a dry run and Sync Now to confirm that synchronization can be performed as expected.

Sync Now
Immediately performs synchronization (Add, Delete, Update) of user information.
※ When [Sync Now] is executed, synchronization (Add, Delete, Update) of user information is performed immediately, and the users in HENNGE Access Control are updated.
Please execute after confirming that the dry run results are as expected.

Entra ID Periodical Synchronization
Enables the setting to perform periodical synchronization (Add, Delete, Update) of user information from the source service to the destination service every hour.

About Sync (Add, Delete, Update)

  • Add: If a user exists only in the source service and not in the destination service, the user is added to the destination service.
  • Delete: If a user does not exist in the source service but exists in the destination service, the user in the destination service is deleted.
  • Update: If the same user exists in both the source and destination services and there are differences in items such as family name, display name, etc., the value in the destination service is updated to the value in the source service.

15. Click [Check the Sync Logs] to check the sync results.
※ If [Entra ID Periodical Synchronization] is selected, the sync process will not be performed at the stage of enabling periodical sync, so it will not be displayed in the sync log immediately.
After enabling periodical sync, periodical synchronization of user information is executed every hour, and the sync log is output.
For details on how to check the sync logs, please refer to the following article.
Check the Sync Logs (Modern View)

16. Set the initial password for each user on the Access Control side.
The password on the Microsoft Entra ID side is not synced for users created in Access Control through user sync.
Therefore, after synchronization is complete, it is necessary for the administrator to set the initial password on Access Control.
※ Users cannot log in to Access Control unless the password is set.

For information on how to set a password, please refer to the following articles.
Access Control User Information Editing
Access Control User Batch Update