AD group is not synced to O365
03-06-2017 11:50 PM
Hello Centrify experts,
We use AD groups to provide O365 licenses to our users. I mean that in Centrify Admin Portal – Roles – Office 365 – Members page I put an AD group, not individual users. It usually works fine but yesterday I got strange issue with this. Some users were unable to login to their O365 apps. O365 portal shows those users as ‘unlicensed’… Looks like AD group is not synced to O365 anymore. I have quickly fixed it by manually adding individual users to Centrify Admin Portal – Roles – Office 365 – Members page.
How can I troubleshoot this issue?
Thanks for your help.
03-10-2017 08:11 AM
Hello @Unisys and welcome back to the Centrify Community...
We recently implemented a change which prevents use of Domain local or Distribution groups for Role use. Could it be the group you are using is a Domain local? This would have continued to work, if so, despite us no longer allowing these type of groups to be selected when chosing to add as a member to the role, up until a few days ago.
Please check the group you are referring to and if a domain local or a distribution group, please convert it.
This KB not only explains the changes, why and when they were made, but also how to correct it.
Please let me know if this does not help, and we may need to dig deeper (perhaps open a Support case if possible?)
I hope this is a qucik fix for you.
Have a great weekend!!
06-05-2017 12:08 PM
i am also facing issue, Please suggest, what can be done to sync the group.
few members which are removed from AD, are still reflected in cloud AD group
06-06-2017 12:27 AM
I do not use AD groups now. I sync individual users. I will definitely check it later again. Adding Users straight from the Admin Portal is of course serving it's purpose but using an AD Group will greatly simplify management.
> few members which are removed from AD, are still reflected in cloud AD group
Hmm, if I understand correctly your description... this sounds like different issue. Please make sure your Cloud connector service has sufficient privileges on AD "Deleted objects container". So Cloud connector service can see deleted AD users and remove them from cloud also.
Or you can use powershell to remove those unwanted users manually. Please find more details in post below (by Nick / Drmikan).
06-06-2017 03:40 AM
Please feel free to let us know if there is any question.