Skip to main content
Skip table of contents

Azure/Microsoft Entra ID - Automatic User Provisioning FAQ

Q: How often will Microsoft Entra ID update with the platform?

A: Updates to add users or modify groups in Microsoft Entra ID will be replicated to the Platform with at most 40 minutes since the modification to the Microsoft Entra ID group.

Q: What happens when a user is removed or deleted from Microsoft Entra ID?

A: A user is disabled in the platform for up to 30 days after the user is removed/disabled. After 30 days the user is permanently deleted from the platform.  For more information see Entra ID's documentation on de-provisioning

Q: Does a removed or deleted user count toward a license for the 30 days before it is removed?

A: No, disabled users do not count to the license assignment limits.

Q: How do I log in once the user has been provisioned?

A: SCIM is designed to be used alongside SAML authentication. As long as the NameID provided by SAML matches the username provisioned through SCIM, you will be able to log in using Single Sign On.

Q: What if a user already exists in the Platform?

A: SCIM uses a directory system to ensure separation of users and groups. If a user exists in the platform, it will not attempt to create the user. If the user doesn't exist in the platform, the user will be created in the SCIM directory. 

Q: What if a group already exists in the Platform?

A: SCIM uses a directory system to ensure separation of users and groups. Group names only need to be unique per user directory so all groups will be created. Only users in the SCIM directory will be added to SCIM groups. These groups are managed in Microsoft Entra ID and not on the platform.

Q: Why does a user not get created again after deleting the user in iGrafx?

A: The synchronization with Azure is a one-way-sync. User changes in iGrafx do not update the user in your Microsoft Entra ID who will still show up as provisioned. Remove (and re-provision) the user in Azure as needed, or restart the provisioning in your enterprise app.

Q: If our company is managed by another directory sync system, how will that work with SCIM?

A: We support the migration of LDAP user synchronization to SCIM user synchronization. We do not currently support migrating local users to SCIM users at this time.

Q: Can I immediately provision users and groups to the Platform without the 40 minute delay?

A: It is possible to immediately provision a user/group through Microsoft Entra ID's provision-on-demand feature

Q: How long does it take for my users and groups to initially sync up with the platform?

A: The initial synchronization with the iGrafx platform can take anywhere from 30 minutes up to about 2 days, depending on how many users and groups you synchronize and how you choose to synchronize them. Refer to the following chart to get a better estimate: How long will it take to provision users?

Q: Are nested groups supported?

A: No. While the iGrafx platform supports nested groups, according to Microsoft Entra ID's provisioning documentation: "The Microsoft Entra user provisioning service can't read or provision users in nested groups."

Q: Do you support other SCIM compliant Identity Providers (IDPs)?

A: Yes, we support Okta. While other IDPs support the SCIM standard, we do not actively support them. Follow our generic guide to test if your IDP is working as expected.

Q: Do you support multiple SCIM compliant Identity Providers (IDPs) in one iGrafx platform?

A: Yes.

Q: Why do I see a status of skipped in the logs?

A: This can occur for a couple reasons. If a user already exists within the platform and has all the correct data when initially provisioning, "skipped" will be shown. "Skipped" can also be shown when changes are made to Microsoft Entra ID resources that are not being synchronized with the platform.

Q: Can I synchronize specific users or groups, e.g. security groups instead of the whole directory?

A: Yes, under the Provisioning → Edit → Settings → Scope: You can select "Sync only assigned users and groups". This settings ensures that only users and groups that have been added under the "Users and groups" blade in the Enterprise Application will be synchronized.

Q: Can we synchronize guest accounts?

A: Yes, guest accounts in your Active Directory work and synchronize just like normal users. There are no additional changes needed.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close