Azure AD to ServiceNow provisioning: re-syncing groups deleted in ServiceNow

Max Nowak 1 Reputation point
2021-04-30T09:07:41.137+00:00

Hi,

We're using user / group provisioning from Azure AD to ServiceNow and have run into a problem.

When creating a group in Azure, it gets synced to ServiceNow, as expected - but when this group is deleted in ServiceNow, it is NOT synced back to ServiceNow automatically, which was pretty surprising. It seems like Azure is not synchronizing every 40 minutes, like it is stated, but it is checking every 40 minutes if changes were made on its side (for example, removing someone from a group), and only then synchronizes the current state to ServiceNow. We tested this by deleting a group in ServiceNow and waiting for Azure to synchronize it back (since it was still present in AD), but nothing happened. Once we added a new member to the group, the group got synced back to ServiceNow.

Is there any way to change this behavior, so that the state present in Azure AD will always be synced to ServiceNow, regardless of if the objects have been deleted in ServiceNow? We really want Azure to be the source of truth for groups and users, but currently, that's just not possible.

Thanks,
Max

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2021-05-10T21:55:04.19+00:00

    @Max Nowak
    Thank you for your post and I apologize for the delayed response!

    Based off your description, when you delete a group in ServiceNow, it isn't getting sync'd back to AzureAD. However, if you add a new member to the group (I'm assuming within AzureAD), the group gets sync'd back to ServiceNow.

    From our "How provisioning works" documentation, it seems like the provisioning service is working as expected since it will query the source system - Provisioning cycles: Initial and incremental
    95366-image.png

    I also found a known issue which might be related to this issue as well - Changes not moving from target app to Azure AD: This is because the app provisioning service isn't aware of changes made in external apps. So, no action is taken to roll back. The app provisioning service relies on changes made in Azure AD.

    If you have any other questions, please let me know. Otherwise, I'd recommend leveraging our User Voice forum to provide feedback or creating a feature request so our engineering team can take a look into implementing this.

    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.