Active Directory Synchronization

Question

Appian Experts, 
 I have a question regarding AD Synchronization. We have our SAML setup to " Update user attributes upon sign in". This works perfectly fine when a user is Added/Removed from a specific entitlement in AD that is mapped to a group on Appian and that users logs in to Appian. 
 However, the issue arises if the users is removed from an entitlement in AD group and he never logs in again to Appian. The user remains part of the group and get task assigned till someone manually removes the user from the group in Appian. 
 I am pretty sure a lot of us here in the Community has encountered this situation. Can any suggest an automated way to Sync the users in AD to the groups in Appian w/o logging in. 
 
 Thank you, 
 Janaki Ram

Shubham Aware · Answer

SAML group sync only works when a user logs in. There is no built-in SAML feature to sync without login. Use a scheduled process model to call Azure AD/MS Graph API and fetch the latest group memberships, then remove users from Appian groups if they are no longer present in AD.

Harsha Sharma · Answer

Its good that assignment is to the group and not the user directly. To remove the users automatically a daily scheduler process will be most appropriate. Check existence of each group member against AD group and if they are not found remove them from the group using Remove Group Member Smart Service in process model.

janakiramk524063 · Answer

Thank you, Harsha. Agree with you and we do group assignment as a best practice. We get into trouble when there is an access audit and there is discrepancy between AD and Appian groups. Will explore the API route.