[Access Control] User Synchronization Settings (Microsoft Entra ID → Access Control)

Target

• Customers synchronizing users from Microsoft Entra ID to Access Control

Purpose

• This document explains the procedures for manual and periodic synchronization of user information from Microsoft Entra ID to Access Control.

Notes

1. The content of this article is based on the product specifications as of May 2026 and may change without notice.
2. Setting up user synchronization requires global administrator privileges for Access Control and a global administrator for Microsoft 365.
3. Please refer to the following article for how to access the administration console.
   How to Access the HENNGE Access Control Administration Console
4. User synchronization needs to be set up on a domain basis.
5. Before executing user synchronization, it is necessary to register the required users in Microsoft Entra ID.
6. Microsoft Entra ID user passwords are not synchronized to Access Control.
   After user synchronization is complete, it is essential to set an initial password on the Access Control side.
7. Once periodic synchronization is enabled, user information will be synchronized every hour.
   ※ The synchronization interval cannot be changed.
8. If you are synchronizing users from Active Directory to Access Control, this task is not necessary.

Pre-checks

• For the domain scheduled for synchronization, change the domain of objects other than users.
  Change UPN of Non-user Objects to onmicrosoft.com Domain

Procedure

1. Access [Provisioning Settings] from the Access Control administration console.

   

2. Select [+ Add Service] under [SYNC SOURCE].

   

3. Select [Entra ID] from the synchronization service selection screen.

   

   If the [Use Saved Data] menu is displayed, select [Use Saved Data] and proceed to step 6.
   ※ This menu is displayed if step 5, [Required Permissions], has been completed.

4. The Microsoft 365 login screen will be displayed, so log in with a global administrator account.
5. The [Required Permissions] screen will be displayed, so select [Accept].
6. Check the domain to be synchronized, set the UPN mode and user deletion tolerance rate, and click [Continue].
   • DOMAIN
     Check the domain to be synchronized.
   • MAX ALLOWED DELETIONS
     If a user deletion process exceeding the set percentage is attempted, the process will be canceled to prevent unintended mass user deletions.
     Example: If the user deletion tolerance rate is 65%, the process will be canceled if 65% or more of the users are deleted during synchronization.

   • UPN Mode
     Depending on the setting, the value set for the username in Access Control will change.
     ※ The username in Access Control cannot be changed later.

     [When UPN Mode is Enabled]
     Synchronize the UserPrincipalName attribute of Microsoft Entra ID as the username in Access Control.
     Example: If the UserPrincipalName attribute of the user is "user@example.com", the username will be "user@example.com".
     [When UPN Mode is Disabled]
     Synchronize the value up to the @ of the UserPrincipalName attribute of Microsoft Entra ID as the username in Access Control.
     Example: If the UserPrincipalName attribute of the user is "user@example.com", the username will be "user".

     

7. The [Required Permissions] screen will be displayed, so check [Consent on behalf of your organization] and select [Accept].
   ※ If the screen does not appear and proceeds to the next screen, it is already authenticated, so proceed to the next step.

   

8. Click [Start Dry Run] for each domain to be synchronized and output the expected user synchronization results.
   ※ If there are multiple domains, perform a sync preview for each domain.

   

9. Select [Download Results] and check the downloaded sync preview results (csv file).
   ※ If there are multiple domains, check the results for each domain.
   ※ The sync preview does not apply the user deletion tolerance rate, so there is a possibility that a preview of user deletions exceeding the tolerance rate will be output.

   

   Please be sure to check the sync preview results with reference to the following.
   If unexpected Add, Delete, or Update users are included in the sync results, press [Cancel] and try again after completing user information editing, etc.
   If you have any questions, please contact your HENNGE One onboarding guide.
   ※ The order of the user list at the time of sync preview result output cannot be changed.
   ※ The Immutable ID for each user is displayed in the right column of the output user list. 

   If Add or Delete is Displayed in the Sync Preview Results

   Check if the users targeted for Add or Delete are the expected users.
   If there are users you want to exclude from Add or Delete, click [Cancel] and try again after registering or deleting user information on the Access Control or Microsoft Entra ID side.

   If Update is Displayed in the Sync Preview Results

   Check if the values of the sync items for the users targeted for Update are as expected.
   By comparing the user information registered in Access Control with the user information registered in Microsoft 365, you can check the update details.
   If there are unexpected users in the Update content, click [Cancel] and try again after editing user information on the Access Control or Microsoft Entra ID side.
   For details on the sync items during user synchronization, please refer to the following article.
   What are the Sync Items for User Synchronization with Access Control Microsoft 365?
    

10. If there are no issues with the content, click [Continue].

    

11. Select [Set Up Periodic Sync] or [Sync Now], check the displayed notes, and if there are no issues, check the checkbox and click [Execute].
    ※ It is recommended to enable after performing a sync preview and Sync Now to confirm that synchronization can be performed as expected.

    Sync Now
    Immediately performs synchronization (add, delete, update) of user information.
    ※ Executing [Sync Now] will immediately perform synchronization (add, delete, update) of user information, and the users in HENNGE Access Control will be updated.
    Please execute after confirming that the sync preview results are as expected.

    Set Up Periodic Sync
    Enables the setting to perform periodic synchronization (add, delete, update) of user information from the source service to the destination service every hour.

    About Synchronization (Add, Delete, Update)

    • Add: If a user exists only in the source service and does not exist in the destination service, the user will be added to the destination service.
    • Delete: If a user does not exist in the source service and exists in the destination service, the user in the destination service will be deleted.
    • Update: If the same user exists in both the source and destination services and there are differences in items such as family name, display name, etc., the value in the destination service will be updated to the value in the source service.

    

12. Click [Check the Sync Logs] to check the synchronization results.
    ※ If [Set Up Periodic Sync] is selected, synchronization processing will not be performed at the stage of enabling periodic synchronization, so it will not be displayed in the sync logs immediately.
    After enabling periodic synchronization, periodic synchronization of user information will be executed every hour, and sync logs will be output.
    For details on how to check the synchronization logs, please refer to the following article.
    [Access Control] Check Sync Logs
13. Set the initial password for each user on the Access Control side.
    The password from the Microsoft Entra ID side is not synchronized for users created in Access Control through user synchronization.
    Therefore, it is necessary for the administrator to set an initial password on Access Control after synchronization is complete.
    ※ Users cannot log in to Access Control unless the password is set.
    For how to set the password, please refer to the following article.
    [Access Control] Bulk Update Users