Azure AD to ServiceNow provisioning: re-syncing groups deleted in ServiceNow

Question

Azure AD to ServiceNow provisioning: re-syncing groups deleted in ServiceNow

Max Nowak 1

Hi,

We're using user / group provisioning from Azure AD to ServiceNow and have run into a problem.

When creating a group in Azure, it gets synced to ServiceNow, as expected - but when this group is deleted in ServiceNow, it is NOT synced back to ServiceNow automatically, which was pretty surprising. It seems like Azure is not synchronizing every 40 minutes, like it is stated, but it is checking every 40 minutes if changes were made on its side (for example, removing someone from a group), and only then synchronizes the current state to ServiceNow. We tested this by deleting a group in ServiceNow and waiting for Azure to synchronize it back (since it was still present in AD), but nothing happened. Once we added a new member to the group, the group got synced back to ServiceNow.

Is there any way to change this behavior, so that the state present in Azure AD will always be synced to ServiceNow, regardless of if the objects have been deleted in ServiceNow? We really want Azure to be the source of truth for groups and users, but currently, that's just not possible.

Thanks,
Max

1 answer

Your answer

Answer 1

JamesTran-MSFT 36,911 Microsoft Employee Moderator

@Max Nowak
Thank you for your post and I apologize for the delayed response!

Based off your description, when you delete a group in ServiceNow, it isn't getting sync'd back to AzureAD. However, if you add a new member to the group (I'm assuming within AzureAD), the group gets sync'd back to ServiceNow.

From our "How provisioning works" documentation, it seems like the provisioning service is working as expected since it will query the source system - Provisioning cycles: Initial and incremental

I also found a known issue which might be related to this issue as well - Changes not moving from target app to Azure AD: This is because the app provisioning service isn't aware of changes made in external apps. So, no action is taken to roll back. The app provisioning service relies on changes made in Azure AD.

If you have any other questions, please let me know. Otherwise, I'd recommend leveraging our User Voice forum to provide feedback or creating a feature request so our engineering team can take a look into implementing this.

Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-05-11T15:39:10.44+00:00

@Max Nowak
I just wanted to check in and see if you had any other questions?

Thank you for your time and patience throughout this issue.
Danny Zollner 10,801 Reputation points Microsoft Employee Moderator

2021-05-11T17:38:00.337+00:00

@JamesTran-MSFT hit the nail on the head - AAD Provisioning does not have a way to query target directories for changes. It relies solely on changes in AAD. If changes have been made in the target app (ServiceNow or anything else), to bring things back to a correct state you should restart provisioning so that all in-scope objects in AAD are evaluated, rather than only objects that have had recent changes in AAD. By restarting, you'll force the service to evaluate the group again and when it sees that the group no longer exists in ServiceNow, it will recreate it.
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2021-05-18T21:55:42.897+00:00

@Max Nowak
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?

Thank you for your time and patience throughout this issue.

----------

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Share via

Azure AD to ServiceNow provisioning: re-syncing groups deleted in ServiceNow

1 answer

Your answer