All members of group is not syncing from Azure AD

Question

Recently we integrated CMA with our Azure AD and synced 3 groups. But some users started reporting that they are not able to login to SDP login and when we did analysis, we found that those users were not reflecting in CMA users and groups module, however at same time, I checked my Azure AD under Enterprise Applications for Cato Networks, I found those users are member of the group which we have synced with CMA. Now there are almost 100 users who are present in the group at Azure AD but same are not reflecting in CMA due to which I am unable to provide access to SDP client. Pls suggest what to do?

finncato · Answer

Hello,Have you checked that the users not syncing have all the required attributes such asEmail, User Principal Name (UPN), given name, and surname?Are you using a custom UPN other than the Azure default?&nbsp;If this is a migration from LDAP you may also want to check for conflicts.Do the CMA event logs or audit and provisioning logs in the enterprise app shed any additional insight as to what the issue is?&nbsp;Use the "Provision on Demand" to force the sync of a problem user and then check these logs.&nbsp;

robin_johns · Answer

Hey there!Sounds like you've run into a frustrating issue. From what you're describing, it looks like the sync between CMA and Azure AD hasn't properly completed yet. Are you using SCIM or LDAP to connect to your Azure AD?If you're using LDAP, By default, Cato starts the daily automatic LDAP sync for all accounts at 12:00 am UTC and it can take several hours to actually complete the full sync process. &nbsp;You can trigger a manual sync at any time by using the "Sync Now" feature in the Cato Management Application (CMA) - but it will still take a couple of hours to fully propogate

prakashrindia · Answer

Yes earlier LDAP integration was done but now LDAP Directory Services is deleted and only SCIM method is used for integration. There are almost 126 users out of 4000+ users who are present in Azure AD but not reflecting in CMA due to which I am unable to assign SDP license to these 126 users. There are also some cases where I found that 1 user who is member to 3 Groups in Azure AD but reflecting under only 1 group in CMA.&nbsp;

prakashrindia · Answer

I am using SCIM to connect to Azure AD. I tried everything like doing Start/Stop provisioning in Azure AD for Cato Enterprise Application. I even did On demand provisioning but then also users are not syncing from Azure AD to CMA

michaelsaw · Answer

Hi PrakashRIndia,Appreciate your patience.I believe you have submitted a ticket with our Support team by now.Noted you mentioned: "...almost 100 users who are present in the group at Azure AD but same are not reflecting in CMA due to which I am unable to provide access to SDP client. Pls suggest what to do?"&nbsp;There are a few possibilities users are not sync'ed from Azure AD (Entra) to CMA, such as (and not limited to the following):a- missing details/fields (like last name not present...)b- user not included in target AD group (users mis-grouped...)...Here are 2 points to consider for next actions:1. Identify/List the current SDP/ZTNA users having issues connecting on Cato Client.&nbsp;2. Check on the related error logs for the users not synced from Azure AD. (hope the root cause can be identified on the logs)Hope this helps 🙏Thank you.

Forum Discussion

All members of group is not syncing from Azure AD

Related Content

Community Guidelines

Recent Discussions

Use Case: Block Youtube category but allow some specific youtube video ID(full path url)

unable to block windows update

Hey, Robin! I currently use Okta to manage my users. How complicated is this to set up with Cato?

Need help with prelogin Intune deployment

All members of group is not syncing from Azure AD