At the moment, the user provisioning administration is quite limited. Troubleshooting sync issues from third party IDPs can be really difficult because of this. Management of synced users and groups gets even more difficult when there are thousands of objects involved.

Suggestion : Provide a more comprehensive interface for managing user provisioning integrations
1. Allow to filter by group name in the provisioning page
2. Allow to view the group members within the org administration without the need to switch over to the site administration groups.
3. Allow to export SCIM user and group data
4. Detailed provisioning events in the org audit log - ACCESS-1133 / ACCESS-1200

• ie. Changing the account details and deactivating an account in the IDP is logged as the same activity in Audit log. 

  Identity Provider	Updated account profile for email@domain.com
  Identity Provider	Updated account profile for email@domain.com

5. Better sync troubleshooting logs - ACCESS-1038
6. Filter capability for managed accounts based on synced status - ACCESS-953
7. Allow to export or extract the logs via API.
8. Better logging on group membership changes (ie. membership added on identity, membership propagated on specific sites.)
9. Provide information on problematic users that are blocking the move of users between authentication policies.