Monitoring and Logs
Once provisioning is running, you need to monitor its health, diagnose failures, and set up alerting for critical events. Entra ID provides several monitoring surfaces, from the in-portal progress bar to deep integration with Azure Monitor and Log Analytics.
Provisioning Progress Bar
The quickest health check is the progress bar on the application’s Provisioning page:
- Navigate to Entra ID > Enterprise apps > [your app] > Provisioning.
- Scroll to the Current Status section.
The progress bar shows:
- Total users and groups synchronized and in scope.
- Last sync timestamp and whether it was an initial or incremental cycle.
- Initial cycle completion status.
- Quarantine indicator with the reason if the job is quarantined.
This is the first place to check when you suspect a provisioning issue. If the progress bar shows quarantine, investigate immediately.
Provisioning Logs
Provisioning logs record every operation the service performs. They are the primary diagnostic tool for understanding what happened to a specific user.
Accessing Logs
Two paths:
- Per-application: Entra ID > Enterprise apps > [your app] > Provisioning logs (in the Activity section).
- Cross-application: Entra ID > Monitoring and health > Provisioning logs.
Reading a Log Entry
Each log entry contains:
| Field | What it tells you |
|---|---|
| Date | When the operation occurred |
| Identity | The user or group being processed |
| Action | Create, Update, Disable, Delete, or Other |
| Source System | Where the identity came from (Entra ID for outbound) |
| Target System | The application being provisioned to |
| Status | Success, Failure, Skipped, or Warning |
| Status Reason | Why the operation succeeded, failed, or was skipped |
| Provisioning Steps | Detailed breakdown of each step the engine took |
The Provisioning Steps detail is the most useful part. It shows:
- Import from the source system.
- Scoping evaluation (did the user pass scoping filters?).
- Matching against the target system.
- Determine action (create, update, or skip).
- Export to the target system (the actual API call and response).
If a user was skipped, the scoping step explains why (not assigned, filtered out by scoping filter, missing required attribute). If an operation failed, the export step shows the error response from the target application.
Filtering Logs
You can filter provisioning logs by:
- Date range: Focus on a specific time window.
- Status: Show only failures, successes, or skipped entries.
- Identity: Search by user name or identifier in either the source or target system.
- Action: Show only creates, updates, deletes, etc.
Downloading Logs
You can download provisioning logs as CSV or JSON for offline analysis. This is useful for large-scale troubleshooting or sharing with support teams.
Quarantine Status
Quarantine is the provisioning service’s circuit breaker. When too many operations fail, the service reduces cycle frequency to protect both Entra ID and the target application from cascading failures.
What Triggers Quarantine
Three main causes:
- Invalid credentials. The admin credentials for the target application are expired, revoked, or incorrect. This is the most common cause.
- SCIM compliance failures. The target endpoint returns unexpected responses (e.g., 404 instead of 200 for user queries).
- Proportional escrow threshold. More than 40% of provisioning operations fail, with a minimum of 5,000 total operations evaluated. There is also an absolute threshold of 60,000 total failures.
Quarantine Behavior
- Incremental cycle frequency drops to once per day.
- A notification email is sent to the configured notification address.
- If quarantine persists for more than four weeks, the provisioning job is disabled entirely.
Getting Out of Quarantine
- Fix the root cause. Usually this means updating admin credentials or fixing the target endpoint.
- Restart provisioning. On the Provisioning page, click Restart provisioning. This triggers a new initial cycle, clears escrow counters, and removes the quarantine state.
- Or use the Graph API for more precise control:
POST /servicePrincipals/{id}/synchronization/jobs/{jobId}/restart
{
"criteria": {
"resetScope": "Quarantine"
}
}
This clears the quarantine flag without forcing a full initial cycle.
Checking Quarantine Programmatically
GET /servicePrincipals/{id}/synchronization/jobs/{jobId}
The response includes status.code which will be Quarantine if the job is quarantined, and status.quarantine.reason explaining why.
Azure Monitor and Log Analytics Integration
For long-term retention, custom dashboards, and advanced alerting, stream provisioning logs to Azure Monitor.
Setup
- Navigate to Entra ID > Monitoring and health > Diagnostic settings.
- Click Add diagnostic setting.
- Check ProvisioningLogs.
- Select Send to Log Analytics workspace and choose your workspace.
- Save.
Logs start flowing within a few minutes. They are stored in the AADProvisioningLogs table.
Useful KQL Queries
Error summary by error code:
AADProvisioningLogs
| summarize count() by ErrorCode = ResultSignature
Daily operation counts by action type:
AADProvisioningLogs
| where TimeGenerated > ago(7d)
| summarize count() by Action, bin(TimeGenerated, 1d)
Find all operations for a specific user:
AADProvisioningLogs
| extend SourceIdentity = parse_json(SourceIdentity)
| where tostring(SourceIdentity.Id) == "<user-object-id>"
Failures over time (for spotting spikes):
AADProvisioningLogs
| where ResultType == "Failure"
| summarize count() by bin(TimeGenerated, 1h)
| render timechart
Pre-Built Workbooks
Entra ID provides two pre-built workbooks in Azure Monitor:
- Provisioning Analysis: Summary of provisioning activity, error breakdown, and user lifecycle events.
- Provisioning Insights: Deeper analysis of specific applications and time ranges.
Access them from Entra ID > Monitoring and health > Workbooks.
Alerting Patterns
Set up alerts in Azure Monitor to get notified about critical provisioning events.
Alert on Quarantine
Create a log alert that fires when the provisioning status changes to quarantine. Alternatively, monitor the notification email address configured in the provisioning settings.
Alert on Failure Spikes
AADProvisioningLogs
| where ResultType == "Failure"
| summarize FailureCount = count() by bin(TimeGenerated, 1h)
| where FailureCount > 50
Set this as a log alert rule with a 1-hour evaluation window.
Alert on No Activity
If the provisioning service stops running entirely, there will be no log entries:
AADProvisioningLogs
| where TimeGenerated > ago(2h)
| summarize count()
Alert if the count is zero, which suggests the service is stopped or disabled.
Monitoring Checklist
- Check the provisioning progress bar after initial setup and periodically thereafter.
- Review provisioning logs for any failed or skipped users.
- Configure the notification email in provisioning settings to receive quarantine alerts.
- Stream provisioning logs to Log Analytics for retention beyond 30 days.
- Set up alerts for failure spikes and quarantine events.
- Use on-demand provisioning to test individual user flows when diagnosing issues.