Skip to main content
日本語 简体中文 繁體中文

[Access Control] What are the steps to synchronize user information from Microsoft 365 during implementation?

Questions

When introducing Access Control, I want to import initial user information from Microsoft 365.
What tasks are necessary?

Answer

By following the steps below, you can sync user information from Microsoft 365 to Access Control.

Notes

  1. This procedure assumes that there are no users other than the initial administrator in Access Control.
    If users have already been created in Access Control, please contact your HENNGE One implementation representative.
  2. The content of this article is based on the product specifications as of April 2025 and may change without notice thereafter.
  3. Global administrator privileges for Access Control and a global administrator for Microsoft 365 are required to set up user sync.
  4. User passwords from Microsoft Entra ID are not synced to Access Control.
    After user sync is complete, be sure to set the initial password on the Access Control side.
  5. If you are syncing users from Active Directory to Microsoft Entra ID, this task is not necessary.
  6. For the domain to be synced, change the domain of objects other than users.
    Change UPN of objects other than users to onmicrosoft.com domain
  7. Execute the following steps to confirm that Microsoft Graph PowerShell can be used in your environment.
    Install Microsoft Graph PowerShell SDK
    Connect to Microsoft365 from Microsoft Graph PowerShell

Procedure

1. Access the [Provisioning Settings] from the Access Control Administration screen.

2. Select [+ Add Service] in the [Sync Source] menu.

3. Select the service to be synced from the sync service selection screen.
If the following screen is displayed, select [Entra ID].

4. The Microsoft 365 login screen will be displayed, so log in with a global administrator account.

5. The [Requested Permissions] screen will be displayed, so select [Accept].

6. Check the domain to be synced, set the UPN Mode and Max Allowed Deletions, and click [Continue].

・Domain
Check the domain to be synced.

・UPN Mode
Depending on the settings, the value set for the Username in Access Control will change.
※ The Username in Access Control cannot be changed later.

【When UPN Mode is enabled】
The UserPrincipalName attribute of Microsoft Entra ID is synced as the Username in Access Control.
Example: If the UserPrincipalName attribute of the user is "user@example.com", the Username will be "user@example.com".
【When UPN Mode is disabled】
The value up to @ of the UserPrincipalName attribute of Microsoft Entra ID is synced as the Username in Access Control.
Example: If the UserPrincipalName attribute of the user is "user@example.com", the Username will be "user".

7. The Microsoft Graph PowerShell command will be displayed on the screen, so copy the command and execute it with a global administrator account for Microsoft 365.
※ This screen will be displayed regardless of whether it is executed or not.
If this task has been completed in the past, proceed to step 10.

8. If prompted to log in to Microsoft 365, log in with an account that has global administrator privileges.

9. Confirm that no errors are output in red in the execution results of the Microsoft Graph PowerShell command executed in step 7.
If an error occurs, please refer to the following article.
Error Message Collection Microsoft Graph PowerShell
※ If the issue is not resolved, capture the error screen in question and inform your HENNGE One implementation representative.

10. Once you have confirmed that the Microsoft Graph PowerShell command was executed correctly, select [Continue].

11. Click [Start Dry Run] for each domain to be synced to output the expected user sync results.
※ If there are multiple domains, perform a dry run for each domain.

12. Select [Download Results] and check the downloaded dry run results (csv file).
※ If there are multiple domains, check the results for each domain.

Please be sure to check the results of the Dry Run with reference to the following.
If unexpected Users with Add are included in the Dry Run results, press [Cancel] and try again after completing the editing of User Information, etc.
If you have any questions, please contact your HENNGE One implementation support representative.
* The Immutable ID for each user is displayed in the right column of the exported user list. 

If Update or Delete is displayed in the Dry Run results, the User already exists in Access Control.
Please contact your HENNGE One implementation support representative.
For details on the synchronization items during User synchronization, please refer to the following article.
What are the synchronization items for User synchronization with Access Control Microsoft 365?

13. If there are no issues with the content, click [Continue].

 

14. After confirming the precautions displayed by selecting [Sync Now], if there are no issues, check the checkbox and click [Execute].
* When [Sync Now] is executed, User Information synchronization is executed Immediately, and Users are created in Access Control.
Please execute after confirming that the Dry Run results are as expected.

About Sync (Add, Delete, Update)

  • Add: If the User exists only in the Sync Source service and does not exist in the Sync Destination service, the User is added to the Sync Destination service.
  • Delete: If the User does not exist in the Sync Source service and exists in the Sync Destination service, the User in the Sync Destination service is Deleted.
  • Update: If the same User exists in both the Sync Source and Sync Destination services and there are differences in items such as Family name, Display Name, etc., the value in the Sync Destination service is updated to the value in the Sync Source.

15. Click [Check the Sync Logs] to check the sync results.
For details on how to check the sync logs, please refer to the following article.
Check the Sync Logs

16. Set the initial Password for each User on the Access Control side.
The Password on the Microsoft Entra ID side is not Synced for Users created in Access Control through User synchronization.
Therefore, it is necessary for the administrator to set the initial Password on Access Control after synchronization is complete.
* Unless the Password is set, Users cannot log in to Access Control.

For information on how to set the Password, please refer to the following articles.
Edit User Information in Access Control
User Batch Update in Access Control