Azure AD User Sync – Overview
Helpguide --> https://help.sdpondemand.com/azure-ad-user-syncAzure AD User Sync, when enabled, gets users from Azure periodically and adds/updates/deletes them in SDP. The sync flow is mainly categorized into 2 parts: Initial Sync and Incremental Sync.
Initial Sync: Processes already available users once the integration is enabled. When there are no more users to process, the initial sync will end and incremental sync will start. Initial Sync will run at 2-minute intervals.
Incremental Sync: Processes new users added/updated/deleted in Azure AD. Incremental Sync will run at the interval chosen by the user in the Azure AD User Sync configurations.
Role Needed
SDP: OrgAdmin
MS: User.ReadBasic.All
MS: User.ReadBasic.All
Use the admin's MS account for authentication. Global admin privilege is not needed here. The MS account used here and the MS account used in Microsoft Azure have no link. Microsoft Azure uses an independent authentication process handled by the Global Admin account. This user authentication process is only for linking the Zoho account with the MS account.
Always use the admin's own MS account for authentication. Do not use a service account or another user's account.
Change Azure Sync Scheduled Time
Users cannot change the scheduled time. It will always be based on the last sync time.
When the sync is running at a 2-minute interval, if the integration is disabled and enabled again, the scheduler will be set to start in 5 minutes with a 2-minute interval.
When the sync is running at an ‘x’ days interval, if the integration is disabled and enabled again, it will be set to start in 5 minutes from now or 24 hours from the last sync time, whichever is later.
Sync Interval Calculation
Sync interval will be calculated from the previous sync end time, not from the sync start time.
If the initial sync is running, the next sync will be 2 minutes after the previous sync ended.
If incremental sync is running, the next sync will be ‘x’ days after the previous sync ended.
Users Sync Count in a Run
We will sync 200 users or process 1000 users in a single run. Once any one of the limits is reached, we will stop the run.
From Azure, users are fetched in batches. One batch can have a maximum of 200 users. Even if the 200-user sync limit is reached, the system will process the remaining users in the current batch. So there will be approximately 200 users synced per run, but not exactly 200.
From Azure, users are fetched in batches. One batch can have a maximum of 200 users. Even if the 200-user sync limit is reached, the system will process the remaining users in the current batch. So there will be approximately 200 users synced per run, but not exactly 200.
Field Mapping
Only fields mapped in the field mapping will be synced; all other Azure fields will be ignored. In SDP, Email and First Name are mandatory fields.
- For Email ID, if the mapped value is empty, UPN will be considered.
- For First Name, if the mapped value is empty, givenName, displayName, and surname will be considered.
If any changes are made in the field mapping, it is advised to trigger Restart Sync to forcefully resync all the existing users as mentioned under Restart sync option.
Sync Report
The sync report will start storing data only after the option is enabled in the configuration. All sync success and failure cases will be stored in the sync report.
We limit the report size:
A maximum of 10 reports will be available per instance.
Each report can hold up to 10 MB.
Once the limit is reached, the oldest report will be deleted, and a new report will be created for the latest sync.
The sync report will include all the details fetched from Azure and the data synced to SDP fields, along with corresponding success or failure messages.
User Delete/Trash
Only users who were added/updated via Azure AD User Sync or Import from Azure will be processed for Revoke Login or Delete.
A user must be permanently deleted from Azure AD for the action "When users are deleted in Azure AD, select the following action in ServiceDesk Plus" to work. Refer to the MS Learn doc for user deletion in Azure.
Azure will send the Trashed/Deleted update only once. So, the required options must be selected correctly before starting the sync. If the operation is changed later, it will not delete the previously processed users.
The above action will be applicable only for the user deletion process. Kindly drop an email to support if you are looking to revoke login for users who are disabled in Azure.
Restart Sync Option
We will show the Restart Sync option on the configuration page only for enterprise customers.
Other edition users can drop an email to support to get the resync URL.
Other edition users can drop an email to support to get the resync URL.
New to ADSelfService Plus?
Related Articles
Users not added/updated to SDP - Azure AD User Sync
Helpguide --> https://help.sdpondemand.com/azure-ad-user-sync a. Check whether Initial Sync is completed When Azure AD has a large set of users, it might take time to process and sync all of them. Once the Initial Sync is completed, all users would ...Users are not deleted/login revoked - Azure AD User Sync
Ensure the configurations are selected correctly by navigating to: Setup → Apps and Add-ons → Integrations → Azure AD User Sync. Also, verify that the user has been synced at least once previously through Azure AD User Sync or Import from Azure. This ...Azure AD User Sync integration is getting disabled / Error message shown in Azure AD User Sync card
Helpguide --> https://help.sdpondemand.com/azure-ad-user-sync When the integration is automatically disabled or the sync is not running, it might be due to one of the following reasons. These errors will be displayed in the Integration Card and will ...Common Errors During Azure User Sync and Their Resolutions
Helpguide --> https://help.sdpondemand.com/azure-ad-user-sync a. IAMError:U123 This indicates that the user is part of a different organization. A user can be part of only one organization account. If the user belongs to another valid account, they ...Microsoft Azure Integration and its benefits
Kindly refer to this link for more info about this integration, https://help.sdpondemand.com/azure_integration Why does this integration have to be enabled separately? This is an additional authentication step implemented to enhance the existing ...