On-demand provisioning in Azure AD Connect cloud sync
You can use the cloud sync feature of Azure Active Directory (Azure AD) Connect to test configuration changes by applying these changes to a single user. This on-demand provisioning helps you validate and verify that the changes made to the configuration were applied properly and are being correctly synchronized to Azure AD.
When you use on-demand provisioning, the scoping filters are not applied to the user that you selected. You can use on-demand provisioning on users who are outside the organization units that you specified.
Validate a user
To use on-demand provisioning, follow these steps:
In the Azure portal, select Azure Active Directory.
Select Azure AD Connect.
Select Manage cloud sync.
Under Configuration, select your configuration.
Under Validate, select the Provision a user button.
On the Provision on demand screen, enter the distinguished name of a user and select the Provision button.
After provisioning finishes, a success screen appears with four green check marks. Any errors appear to the left.
Get details about provisioning
Now you can look at the user information and determine if the changes that you made in the configuration have been applied. The rest of this article describes the individual sections that appear in the details of a successfully synchronized user.
The Import user section provides information on the user who was imported from Active Directory. This is what the user looks like before provisioning into Azure AD. Select the View details link to display this information.
By using this information, you can see the various attributes (and their values) that were imported. If you created a custom attribute mapping, you can see the value here.
Determine if user is in scope
The Determine if user is in scope section provides information on whether the user who was imported to Azure AD is in scope. Select the View details link to display this information.
By using this information, you can see if the user is in scope.
Match user between source and target system
The Match user between source and target system section provides information on whether the user already exists in Azure AD and whether a join should occur instead of provisioning a new user. Select the View details link to display this information.
By using this information, you can see whether a match was found or if a new user is going to be created.
The matching details show a message with one of the three following operations:
- Create: A user is created in Azure AD.
- Update: A user is updated based on a change made in the configuration.
- Delete: A user is removed from Azure AD.
Depending on the type of operation that you've performed, the message will vary.
The Perform action section provides information on the user who was provisioned or exported into Azure AD after the configuration was applied. This is what the user looks like after provisioning into Azure AD. Select the View details link to display this information.
By using this information, you can see the values of the attributes after the configuration was applied. Do they look similar to what was imported, or are they different? Was the configuration applied successfully?
This process enables you to trace the attribute transformation as it moves through the cloud and into your Azure AD tenant.