Monitor user provisioning

You can monitor the status of user provisioning by looking at the Summary of last 30 days sub-section for your configured cloud application. In that section, you should see the number of users created, suspended, and deleted within the last 30 days and the number of failed provisioning attempts.

  1. Sign in to your Google Admin console.

    Sign in using your administrator account (does not end in @gmail.com).

  2. From the Admin console Home page, go to Apps and then SAML apps.

    To see Apps on the Home page, you might have to click More controls at the bottom. 

  3. Open your configured automated user provisioning application.
    If you've properly configured user provisioning, you'll see the Summary of last 30 days sub-section next to the User provisioning section. There won't be any numbers next to the event names until you enable provisioning.
  4. Click Activate provisioning
  5. In the confirmation window click Activate
    ​Once provisioning is enabled, Google begins event logging. The following event names provide the logged events for the last 30 days:
    • Users created — Opens an audit report filtered on the event name, Create User By Auto Provisioning, to show the number of users created.
    • Users suspended — Opens an audit report filtered on the event name, Suspend Auto Provisioned User, to show the number of users suspended.
    • Users deleted​ — Opens an audit report filtered on the event name, Delete Auto Provisioned User, to show the number of users deleted. Before deleting a user from a target application, extract all relevant user data to avoid any data loss. 
    • Users hard deleted​ — Opens an audit report filtered on the event name, Hard Deleted Auto Provisioned User, to show the number of users hard deleted. A user can't be hard deleted from a target application until you've extracted all relevant user data to avoid any data loss. 
    • User failures — Downloads the list of user level failures and the reason for each failure. 
  6. Click the number next to each event name to open the appropriately filtered Admin console audit log.
  7. Click the number next to the User failures item to download a csv file that contains the list of user level failures along with the reason for each failure.
Automated user provisioning status

The top left of the User provisioning section shows the automated user provisioning status. There are three automated user provisioning states:

  • ON — User provisioning is on and running.  User accounts will be created in the target application for all the applicable users based on the Organizational Units for which the application is selected and any additional groups to which provisioning is restricted.  After that, whenever any changes are made to a user in Google Cloud Directory, relevant changes are made to the user account in your target application.
  • OFF — User provisioning is inactive.  No changes are made to users accounts in your target application in this state.  User provisioning deactivation is not immediate, it may take up to 15 minutes for it to take effect.
  • FAILED — User provisioning has failed. View automated user provisioning errors and recommended recovery steps.  
Activate or deactivate user provisioning

Next to the automated user provisioning status there's an link to activate or deactivate user provisioning. Before activating user provisioning ensure that all mandatory user attributes, attribute mapping, and provisioning settings are configured. Ensure that any appropriate restrictions on user provisioning scope by application on/off or group settings are configured. Confirm that any licensing implications for your application have been verified. Here's how to activate or deactivate automated user provisioning:

  • Activate Provisioning — When provisioning is activated, provisioning will be turned on and, on successful activation, will go into ON status.  If activation is unsuccessful, it will go into FAILED status.
  • Deactivate Provisioning — When provisioning is deactivated, provisioning will be turned off and will go into OFF status. All users already created on your target application will remain.
Authorize or reauthorize user provisioning

Automated user provisioning creates and updates user accounts in their target applications by sending web requests. Web requests sent without authorization will fail. As the administrator/owner of the account on the target applications, you must authorize Google to send these requests as part of setting up automated user provisioning.

After you've set up user provisioning, authorization may be revoked on the target applications side. When revoked, web requests to created/update users will start failing with authorization errors.  Authorization errors may sometimes also occur for other specified reasons.  In such cases, you must reauthorize user provisioning.

Enable or disable the target applications

Here's the effect on automated user provisioning when a target application is enabled:
Single sign-on (SSO) gets turned on for the target application. If the provisioning status is ON, provisioning continues and accounts are created in the target application for applicable users based on the Organizational Units (OUs) for which the application is turned on and any additional groups to which provisioning is restricted. If the provisioning status is OFF, there's no change in the status of accounts on the target application. 

Here's the effect on automated user provisioning when a target application is disabled:
SSO is turned off for the target application. If the provisioning status is ON, provisioning continues and all Cloud Directory users previously created in the target application will be removed. If the provisioning status is OFF, there's no change in the status of accounts on the target application. 

Was this helpful?
How can we improve it?