With Delegate365 v8.3 there comes a new feature in the Sync Rules: Sync with security group allows to automatically remove users from an OU. See how this works here.
This is a feature request brought to us by Delegate365 customers: When a user is removed from a security group, he or she should also automatically be removed from the corresponding OU, if the User sync rules are set to "Security group". So here´s a description of that feature with a sample (improved Delegate365 Admins can have a look at step1 and then continue with step 7)...
- In Delegate365, the User sync rules are activated, and there´s an active rule set to "Security group". With this version, there´s a new switch "Sync with security group" that needs to be set to Yes as shown here. This activated switch will remove users from an OU if they are no longer member of a security group.
- In our scenario, I want that all members of Security Groups sg-Legal and sg-Retail shall be assigned to the OU´s with the same name. So, I created these two OU´s manually, additional to the two existing OU´s New York and Seattle as in the following screenshot. (My user has these OU´s assigned to see all objects in Delegate365.)
- To test, I have added 4 persons as members to sg-Legal: Joni, Enrico, Irvin and Grady. I did this outside of Delegate365 in the Azure portal, to test the consequences like in an hybrid environment.
The second group sg-Retail, has only 2 members: Joni and Cameron.
- Check before sync: Currently, as administrator, I don´t see these users in Delegate365 - or some of them assigned to another OU: Enrico, Grady and Cameron are not showing (they are not assigned to an OU), Joni is already assigned to New York, and Irvin is already assigned to Seattle. This is the start scenario, composed in one picture with the Users search.
- Let´s run the sync in Administration / Sync operations by clicking on the Start AAD sync button. Confirm the execution.
- When the sync is completed, let´s see the result in the Users list. When filtering for OU sg-Legal, we see the 4 group members (Joni, Enrico, Irvin and Grady) assigned to that OU.
Important:
Oh, a word to our second group sg-Retail with the 2 members: Joni and Cameron. As we see, Joni is also member of group sg-Legal. In Delegate365, an object can be assigned to an OU only. So, the first group "grabs" Joni and assigns her to sg-Legal. When checking for OU sg-Retail, we see just Cameron (and no Joni, because she was assigned to sg-Legal).
So, one object = one OU assignment in Delegate365. All clear? - So far so good, there´s no news until here. Now, let´s remove members from the two security groups. The members of sg-Legal have been changed to Joni and Enrico only, Irvin and Grady have been removed.
And do the same for sg-Retail: We removed Cameron, and now only Joni is in.
- Run the sync again (as in step 5).
- With the new sync settings, we get these assignments: sg-Legal now contains only Enrico and Joni. Irvin and Grady have been removed - the OU has the same members as the Security Group.
The second OU sg-Retail is empty as expected: Only Joni is member of that Security Group. But Joni has been assigned to sg-Legal already, and Cameron has been removed from that group. So we see an empty OU as here.
- As we can see, with the switch "Sync with security group", the OU´s now run synchronously with the Security Groups. Just, as exaptation, users can be assigned in Delegate365 only once.
We hope this new sync feature helps improving your users organization based on security group memberships in Delegate365!