Once the service is configured, most insights into the operation of the service can be drawn from two places.
Provisioning logs (preview) – The provisioning logs record all operations performed by the provisioning service. The logs include querying Microsoft Entra ID for assigned users that are in scope for provisioning. Query the target app for the existence of those users, comparing the user objects between the system. Then add, update, or disable the user account in the target system based on the comparison. You access the provisioning logs in the Microsoft Entra admin center by selecting Identity > Applications > Enterprise applications > Provisioning logs in the Activity section.
Current status – A summary of the last provisioning run for a given app can be seen in the Identity > Applications > Enterprise applications > [Application Name] > Provisioning section, at the bottom of the screen under the service settings. The Current Status section shows if a provisioning cycle starts provisioning user accounts. Watch the progress of the cycle, see how many users and groups are provisioned, and how many roles are created. If there are errors, details can be found in the [Provisioning logs] (~/identity/monitoring-health/concept-provisioning-logs.md?context=azure/active-directory/manage-apps/context/manage-apps-context).
Provisioning service doesn't appear to start
You set the Provisioning Status to be On in the Identity > Applications > Enterprise applications > [Application Name] > Provisioning section of the Microsoft Entra admin center. However, no other status details are shown on the page after subsequent reloads. It's likely that the service is running but an initial cycle didn't complete. Check the Provisioning logs to determine what operations the service is performing, and if there are any errors.
Note
An initial cycle takes between 20 minutes and several hours. The time depends on the size of the Microsoft Entra directory and the number of users in scope for provisioning. Subsequent syncs are faster, as the provisioning service stores watermarks that represent the state of both systems after the initial cycle. The watermarks improve performance of subsequent syncs.
Can’t save configuration due to app credentials not working
Microsoft Entra ID requires valid credentials for provisioning. The credentials connect to a user management API provided by the app. If the credentials don’t work, or you don’t know what they are, review the tutorial for setting up the app.
Provisioning logs say users are skipped and not provisioned even though they're assigned
Read the extended details in the log message to determine why a user shows up as skipped in the provisioning logs. Common reasons and resolutions include:
The user is “not effectively entitled”. There's a problem with the user assignment record stored in Microsoft Entra ID. To fix this issue, unassign the user (or group) from the app, and reassign it again. For more information, see Assign a user or group to an enterprise app.
A required attribute is missing or not populated for a user. Review and configure the attribute mappings and workflows that define which user (or group) properties flow from Microsoft Entra ID to the application. Check the setting matching property that is used to uniquely identify and match users/groups between the two systems. For more information, see Customizing user provisioning attribute-mappings.
Attribute mappings for groups: Provisioning of the group name and group details, in addition to the members, if supported for some applications. You enable or disable the functionality using the Mapping for group objects shown in the Provisioning tab. If provisioning groups are enabled, review the attribute mappings to ensure an appropriate field is being used for matching ID. The field is the display name or email alias. The group and its members aren't provisioned if the matching property is empty or not populated for a group in Microsoft Entra ID.