Skip to main content
Skip table of contents

Azure Automatic User Provisioning FAQ

Q: How often will Azure AD update with the Platform?

A: Updates to add users or modify groups in Azure AD will be replicated to the Platform with at most 40 minutes since the modification to the Azure Group.

Q: What happens when a user is removed or deleted from Azure AD?

A: A user is disabled in the Platform for up to 30 days after the user is removed/disabled. After 30 days the user is permanently deleted from the Platform.  For more information see Azure's documentation on de-provisioning

Q: Does a removed or deleted user count toward a license for the 30 days before it is removed?

A: No, disabled users do not count to the license assignment limits

Q: How do I log in once the user has been provisioned?

A: SCIM is designed to be used alongside SAML authentication. As long as the NameID provided by SAML matches the username provisioned through SCIM, you will be able to log in using Single Sign On.

Q: What if a user already exists in the Platform?

A: SCIM uses a directory system to ensure separation of users and groups. If a user exists in the platform, it will not attempt to create the user. If the user doesn't exist in the platform, the user will be created in the SCIM directory. 

Q: What if a group already exists in the Platform?

A: SCIM uses a directory system to ensure separation of users and groups. Group names only need to be unique per user directory so all groups will be created. Only users in the SCIM directory will be added to SCIM groups. These groups are managed in Azure and not on the platform.

Q: Why does a user not get created again after deleting the user in iGrafx?

A: The synchronization with Azure is a one-way-sync. User changes in iGrafx do not update the user in your Azure AD who will still show up as provisioned. Remove (and re-provision) the user in Azure as needed. 

Q: If our company is managed by another directory sync system, how will that work with SCIM?

A: We support the migration of LDAP user synchronization to SCIM user synchronization. We do not currently support migrating local users to SCIM users at this time.

Q: Can I immediately provision users and groups to the Platform without the 40 minute delay?

A: It is possible to immediately provision a user/group through Azure's provision-on-demand feature

Q: How long does it take for my users and groups to initially sync up with the platform?

A: The initial synchronization with the iGrafx Platform can take anywhere from 30 minutes up to about 2 days, depending on how many users and groups you synchronize and how you choose to synchronize them. Refer to the following chart to get a better estimate: How long will it take to provision users?

Q: Are nested groups supported?

A: No. While the iGrafx Platform supports nested groups, according to Azure's provisioning documentation: "The Azure AD user provisioning service can't read or provision users in nested groups."

Q: Do you support other SCIM compliant Identity Providers (IDPs)?

A: While other IDPs support the SCIM standard, we do not actively support them.

Q: Do you support multiple SCIM compliant Identity Providers (IDPs) in one iGrafx Platform?

A: While the Platform is able to have users and groups provisioned through multiple directories, it can only authenticate with one SAML IDP.

Q: Why do I see a status of skipped in the logs?

A: This can occur for a couple reasons. If a user already exists within the platform and has all the correct data when initially provisioning, "skipped" will be shown. "Skipped" can also be shown when changes are made to Azure AD resources that are not being synchronized with the platform.

Q: Can I synchronize specific users or groups, e.g. security groups instead of the whole directory?
A: Yes, under the Provisioning → Edit → Settings → Scope: You can select "Sync only assigned users and groups". This settings ensures that only users and groups that have been added under the "Users and groups" blade in the Enterprise Application will be synchronized.

Q: Can we synchronize guest accounts?

A: Yes, guest accounts in your Active Directory work and synchronize just like normal users. There are no additional changes needed.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.