Share via

How to Sync User From Entra ID to On-Premises AD?

FUADHASAN ADISURYO BIN ACHMAD ROFIIE 0 Reputation points
2026-02-05T08:26:24.01+00:00

I have users from Microsoft Entra ID that I want to be synchronized automatically from Entra ID to the on-premises Active Directory. I have already run Cloud Sync (Microsoft Entra ID to AD Sync) and installed the Microsoft Entra Provisioning Agent.

However, the user that I want to provision automatically is not created in the on-premises Active Directory, while the group is successfully created. When I run Provision on Demand, the user provisioning process is skipped.

Provisioning Log (User):

2/5/26, 10:37:05 AM

Display name: demo02

Source ID: PII

Operation: Create

Source: Microsoft Entra ID

Target: Active Directory

Result: Skipped

Group:

Display name: PII

Object ID: PII

EntrySynchronizationSkip

Result: Skipped

Description: The user 'PII' was skipped for the following reasons:

This object is not assigned to the application. If this behavior is not expected, assign the object to the application or change the scoping filter to allow all users and groups to be in scope for provisioning.

This object does not have the required entitlement for provisioning. If this behavior is not expected, update the provisioning scope to “Sync all users and groups” or assign the object to the application with the appropriate provisioning entitlement.

This object did not pass a scoping filter. If this behavior is not expected, review the scoping filters and ensure that the object meets the defined scoping criteria.

Scope evaluation result:

{"On-prem Owned Users.dirSyncEnabled IS TRUE": false}

Additional Details

SkipReason: NotEffectivelyEntitled

IsActive: True

Assigned to the application: False

IsInProvisioningScope: False

  • ReportableIdentifier: PII have users from Microsoft Entra ID that I want to be synchronized automatically from Entra ID to the on-premises Active Directory. I have already run Cloud Sync (Microsoft Entra ID to AD Sync) and installed the Microsoft Entra Provisioning Agent. However, the user that I want to provision automatically is not created in the on-premises Active Directory, while the group is successfully created. When I run Provision on Demand, the user provisioning process is skipped. Provisioning Log (User): 2/5/26, 10:37:05 AM
    • Display name: demo02
    • Source ID: PII
    • Operation: Create
    • Source: Microsoft Entra ID
    • Target: Active Directory
    • Result: Skipped
    Group:
    • Display name: PII
    • Object ID: PII

      EntrySynchronizationSkip

      Result: Skipped Description:
      The user 'PII' was skipped for the following reasons:
    1. This object is not assigned to the application.
      If this behavior is not expected, assign the object to the application or change the scoping filter to allow all users and groups to be in scope for provisioning.
    2. This object does not have the required entitlement for provisioning.
      If this behavior is not expected, update the provisioning scope to “Sync all users and groups” or assign the object to the application with the appropriate provisioning entitlement.
    3. This object did not pass a scoping filter.
      If this behavior is not expected, review the scoping filters and ensure that the object meets the defined scoping criteria.
    Scope evaluation result: 
      {"On-prem Owned Users.dirSyncEnabled IS TRUE":

    Additional Details

    • SkipReason: NotEffectivelyEntitled
    • IsActive: True
    • Assigned to the application: False
    • IsInProvisioningScope: False
    • ReportableIdentifier: PII
Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-02-05T08:26:39.4733333+00:00

    To synchronize users from Microsoft Entra ID to on-premises Active Directory (AD), you need to ensure that the users meet the necessary criteria for provisioning. Based on the log details you provided, the user provisioning process was skipped due to several reasons:

    1. Not Assigned to the Application: The user is not assigned to the application. You need to assign the user to the application or adjust the scoping filter to include all users and groups.
    2. Lack of Required Entitlement: The user does not have the required entitlement for provisioning. You can either update the provisioning scope to "Sync all users and groups" or assign the user to the application with the appropriate provisioning entitlement.
    3. Scoping Filter Issues: The user did not pass the scoping filter. Review the scoping filters to ensure that the user meets the criteria defined for provisioning.

    To resolve these issues, consider the following steps:

    • Assign the user to the application that is configured for provisioning.
    • Ensure that the user has the necessary entitlements for provisioning.
    • Review and modify the scoping filters as needed to include the user in the provisioning scope.

    Once these adjustments are made, you can attempt the provisioning process again.

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.