Is Entra ID to AD provisioning supposed to work yet?

toby33 21 Reputation points
2024-02-28T06:16:13.0066667+00:00

I am exploring the Entra ID to AD provisioning preview and, despite appearing to be configured correctly and healthy, it's failing to provision users from Entra ID to a fresh on-prem AD instance.

The provisioning agent is in place, the cloud sync configuration is configured and enabled, scoping is set, target OU on-prem is set. Scoped groups get created. However, the scoped users do not. They fail with the below:

EntrySynchronizationSkip
Result
Skipped
Description
The User '[redacted]' will be skipped due to the following reasons: 1) This object is not assigned to the application. If you did not expect the object to be skipped, assign the object to the application or change your scoping filter to allow all users and groups to be in scope for provisioning. 2) This object does not have required entitlement for provisioning. If you did not expect the object to be skipped, update provisioning scope to 'Sync all users and groups' or assign the object to the application with entitlement of provisioning category 3) This object did not pass a scoping filter. If you did not expect the object to be skipped, please review your scoping filters and ensure that the object passes your specified scoping criteria. The scope evaluation result is: {"On-prem Owned Users.dirSyncEnabled IS TRUE":false}
SkipReason
NotEffectivelyEntitled
IsActive
True
Assigned to the application
False
IsInProvisioningScope
False
ScopeEvaluationResult
{"On-prem Owned Users.dirSyncEnabled IS TRUE":false}
ReportableIdentifier
[redacted]

It's showing "assigned to the application" as false. But the application that was created for the sync does have the scoped group containing the scoped users direct assigned. This section below has me stumped as I can't figure out what it's referring to and I can't find much info on it online.

ScopeEvaluationResult{"On-prem Owned Users.dirSyncEnabled IS TRUE":false}

I have also checked all configs and tried various versions of configs on the provisioning agent side to no solution. I see a few people mentioning this same issue on MS and StackOverflow but with no resolution. And there seems to always be confusion in the responses regarding the direction of the syncing. It seems there's no broad awareness that there's an Entra ID to AD sync configuration, rather than the more common AD to Entra ID sync configuration. I am trying to establish a cloud first config that syncs Entra ID users and devices to an on-prem AD instance. I know this config is in preview, and this wouldn't be the first time I ran across a preview feature that just doesn't work at all, but I thought I would check on whether there's something I am missing.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,352 questions
{count} votes

Accepted answer
  1. Givary-MSFT 32,311 Reputation points Microsoft Employee
    2024-02-28T11:45:57.8866667+00:00

    @Toby Horton Thank you for reaching out to us, As I understand you are exploring the preview feature of Entra ID to AD (preview) through which you are trying to perform user writeback from Entra ID to on-premises AD. User's image

    Reviewed this documentation - https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-configure-entra-to-active-directory this feature has been provided to offer Group Provision (Group writeback) to Active Directory.

    Also, if you review the scoping section, only groups from Entra ID (cloud security groups) are provisioned to on-premise AD, not the users.

    we don't have an option for user writeback from Entra ID to on-premise, however you can explore API driven provisioning - https://learn.microsoft.com/en-us/entra/identity/app-provisioning/inbound-provisioning-api-configure-app#configure-api-driven-inbound-provisioning-to-on-premises-ad:~:text=Microsoft%20Entra%20ID-,Configure%20API%2Ddriven%20inbound%20provisioning%20to%20on%2Dpremises%20AD,-After%20setting%20the see if it helps to meet your requirements.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    2 people found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.