I am exploring the Entra ID to AD provisioning preview and, despite appearing to be configured correctly and healthy, it's failing to provision users from Entra ID to a fresh on-prem AD instance.
The provisioning agent is in place, the cloud sync configuration is configured and enabled, scoping is set, target OU on-prem is set.
Scoped groups get created. However, the scoped users do not. They fail with the below:
EntrySynchronizationSkip
Result
Skipped
Description
The User '[redacted]' will be skipped due to the following reasons: 1) This object is not assigned to the application. If you did not expect the object to be skipped, assign the object to the application or change your scoping filter to allow all users and groups to be in scope for provisioning. 2) This object does not have required entitlement for provisioning. If you did not expect the object to be skipped, update provisioning scope to 'Sync all users and groups' or assign the object to the application with entitlement of provisioning category 3) This object did not pass a scoping filter. If you did not expect the object to be skipped, please review your scoping filters and ensure that the object passes your specified scoping criteria. The scope evaluation result is: {"On-prem Owned Users.dirSyncEnabled IS TRUE":false}
SkipReason
NotEffectivelyEntitled
IsActive
True
Assigned to the application
False
IsInProvisioningScope
False
ScopeEvaluationResult
{"On-prem Owned Users.dirSyncEnabled IS TRUE":false}
ReportableIdentifier
[redacted]
It's showing "assigned to the application" as false. But the application that was created for the sync does have the scoped group containing the scoped users direct assigned.
This section below has me stumped as I can't figure out what it's referring to and I can't find much info on it online.
ScopeEvaluationResult{"On-prem Owned Users.dirSyncEnabled IS TRUE":false}
I have also checked all configs and tried various versions of configs on the provisioning agent side to no solution.
I see a few people mentioning this same issue on MS and StackOverflow but with no resolution. And there seems to always be confusion in the responses regarding the direction of the syncing. It seems there's no broad awareness that there's an Entra ID to AD sync configuration, rather than the more common AD to Entra ID sync configuration.
I am trying to establish a cloud first config that syncs Entra ID users and devices to an on-prem AD instance.
I know this config is in preview, and this wouldn't be the first time I ran across a preview feature that just doesn't work at all, but I thought I would check on whether there's something I am missing.