|
| 1 | +--- |
| 2 | +title: Application Provisioning status of Quarantine | Microsoft Docs |
| 3 | +description: When you've configured an application for automatic user provisioning, learn what a provisioning status of Quarantine means and how to clear it. |
| 4 | +services: active-directory |
| 5 | +documentationcenter: '' |
| 6 | +author: msmimart |
| 7 | +manager: CelesteDG |
| 8 | + |
| 9 | +ms.assetid: |
| 10 | +ms.service: active-directory |
| 11 | +ms.subservice: app-mgmt |
| 12 | +ms.workload: identity |
| 13 | +ms.tgt_pltfrm: na |
| 14 | +ms.devlang: na |
| 15 | +ms.topic: conceptual |
| 16 | +ms.date: 10/03/2019 |
| 17 | +ms.author: mimart |
| 18 | +ms.reviewer: arvinh |
| 19 | + |
| 20 | +ms.collection: M365-identity-device-management |
| 21 | +--- |
| 22 | + |
| 23 | +# Application provisioning in quarantine status |
| 24 | + |
| 25 | +The Azure AD provisioning service monitors the health of your configuration and places unhealthy apps in a "quarantine" state. If most or all of the calls made against the target system consistently fail because of an error, for example invalid admin credentials, the provisioning job is marked as in quarantine. |
| 26 | + |
| 27 | +While in quarantine, the frequency of incremental cycles is gradually reduced to once per day. The provisioning job is removed from quarantine after all errors are fixed and the next sync cycle starts. If the provisioning job stays in quarantine for more than four weeks, the provisioning job is disabled (stops running). |
| 28 | + |
| 29 | +## How do I know if my application is in quarantine? |
| 30 | + |
| 31 | +There are three ways to check whether an application is in quarantine: |
| 32 | + |
| 33 | +- In the Azure portal, navigate to **Azure Active Directory** > **Enterprise applications** > <*application name*> > **Provisioning** and scroll to the progress bar at the bottom. |
| 34 | + |
| 35 | +  |
| 36 | + |
| 37 | +- Use the Microsoft Graph request [Get synchronizationJob](https://docs.microsoft.com/graph/api/synchronization-synchronizationjob-get?view=graph-rest-beta&tabs=http) to programmatically get the status of the provisioning job: |
| 38 | + |
| 39 | + `GET https://graph.microsoft.com/beta/servicePrincipals/{id}/synchronization/jobs/{jobId}/` |
| 40 | + |
| 41 | +- Check your email. When an application is placed in quarantine, a one-time notification email is sent. If the quarantine reason changes, an updated email is sent showing the new reason for quarantine. If you don't see an email: |
| 42 | + |
| 43 | + - Make sure you have specified a valid **Notification Email** in the provisioning configuration for the application. |
| 44 | + - Make sure there is no spam filtering on the notification email inbox. |
| 45 | + - Make sure you have not unsubscribed from emails. |
| 46 | + |
| 47 | +## Why is my application in quarantine? |
| 48 | + |
| 49 | +A Microsoft Graph request to get the status of the provisioning job shows the following reason for quarantine: |
| 50 | + |
| 51 | +- `EncounteredQuarantineException` indicates that invalid credentials were provided. The provisioning service is unable to establish a connection between the source system and the target system. |
| 52 | + |
| 53 | +- `EncounteredEscrowProportionThreshold` indicates that provisioning exceeded the escrow threshold. This condition occurs when more than 60% of provisioning events failed. |
| 54 | + |
| 55 | +- `QuarantineOnDemand` means that we've detected an issue with your application and have manually set it to quarantine. |
| 56 | + |
| 57 | +## How do I get my application out of quarantine? |
| 58 | + |
| 59 | +First, resolve the issue that caused the application to be placed in quarantine. |
| 60 | + |
| 61 | +- Check the application's provisioning settings to make sure you've [entered valid Admin Credentials](configure-automatic-user-provisioning-portal.md#configuring-automatic-user-account-provisioning). Azure AD must be able to establish a trust with the target application. Ensure that you have entered valid credentials and your account has the necessary permissions. |
| 62 | + |
| 63 | +- Review the [provisioning logs](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs) to further investigate what errors are causing quarantine and address the error. Access the provisioning logs in the Azure portal by going to **Azure Active Directory** > **Enterprise Apps** > **Provisioning logs (preview)** in the **Activity** section. |
| 64 | + |
| 65 | +After you've resolved the issue, restart the provisioning job. Certain changes to the application's provisioning settings, such as attribute mappings or scoping filters, will automatically restart provisioning for you. The progress bar on the application's **Provisioning** page indicates when provisioning last started. If you need to restart the provisioning job manually, use one of the following methods: |
| 66 | + |
| 67 | +- Use the Azure portal to restart the provisioning job. On the application's **Provisioning** page under **Settings**, select **Clear state and restart synchronization** and set **Provisioning Status** to **On**. This action fully restarts the provisioning service, which can take some time. A full initial cycle will run again, which clears escrows, removes the app from quarantine, and clears any watermarks. |
| 68 | + |
| 69 | +- Use Microsoft Graph to [restart the provisioning job](https://docs.microsoft.com/en-us/graph/api/synchronization-synchronizationjob-restart?view=graph-rest-beta&tabs=http). You'll have full control over what you restart. You can choose to clear escrows (to restart the escrow counter that accrues toward quarantine status), clear quarantine (to remove the application from quarantine), or clear watermarks. Use the following request: |
| 70 | + |
| 71 | + `POST /servicePrincipals/{id}/synchronization/jobs/{jobId}/restart` |
0 commit comments