Year-end turnover process for Security Groups and Administrative Units

  • Article

Background

When running School Data Sync (SDS), it will create school Administrative Units (AUs) by default for every sync profile. SDS can also optionally enable Security Group Sync, which creates school Security Groups (SGs). As the sync runs, SDS will keep the memberships of these groups updated as school enrollments change in the SIS. The changes are fed into each sync profile. The automated membership updates for both school AUs and school SGs use the delta processing logic built into each SDS sync profile. As data changes for each profile, SDS will only process the changes. It compares what was sent previously with what is currently being received. Once the changes are identified, memberships are either added or removed.

Update

When you create new sync profiles for the new school year, there's no history of what was previously sent to SDS, so none of the delta processing logic applies. SDS will only add new users if they don’t already exist within the SGs and AUs. SDS won't remove any users that may have transferred or graduated to another school.

Solution

To address, we recommend you run the PowerShell scripts to clear your school SG memberships and clear your school administrative unit memberships before you create and sync your new profile and date for the new term, semester, or school year. Once cleared, you can sync your new profile data, and repopulate the existing SGs and AUs with just the users that are currently associated with each school then.

Additionally, if you have already set up your new year’s sync profiles, you can still correct your membership lists for both school SGs and AUs. You can pause your sync at any time, run the Remove Membership script(s), and then hit reset sync on your sync profile(s) to populate just the current users associated with your schools.

To run these scripts:

  1. Navigate to the links provided above.

  2. Download the script(s) and save them in your local c:\temp directory.

  3. Open PowerShell.

  4. Set the directory location by running:

    set-location c:\temp

  5. Install the Microsoft Graph module if you don’t have it already:

    Install-Module Microsoft.Graph

  6. Connect to your tenant and grant permissions:

    Connect-Graph -Scopes “AdministrativeUnit.ReadWrite.All”, “User.Read.All”

  7. Sign in with your Global Admin Account.


To run the Remove-SchoolAU_Membership Script:

  1. Type into PowerShell .\RemoveSchoolAU_Membership.ps1

  2. Hit enter and address any prompts that appear.


To run the Remove-SchoolSG_Membership Script:

  1. Type into PowerShell .\RemoveSchoolSG_Membership.ps1

  2. Hit enter and address any prompts that appear.