Users and/or hosts are not being integrated with Azure AD

Learn how to troubleshoot when users and hosts are not being integrated from your organization's Azure Active Directory

In some cases, after setting up Azure AD integration following the instructions listed on the Help Center Guide users or hosts are not successfully integrated. The following article contains different scenarios, which are the most likely causes for the different issues and different options to troubleshoot.

Info

Please keep in mind that the first time the Azure AD integration runs, it might take a while to process users. Typically, after one hour of having the integration running, there should already be users and/or hosts in AskCody.

Possible scenarios

 

Note

The first thing to check when troubleshooting an Azure AD Integration is the different group memberships for users in your organization's Azure Active Directory. Please make sure that the users you want to integrate into AskCody are members of both your root group, and at least one of the groups used for role provisioning, assignments, and memberships. For more information, please refer to the article with the instructions to set up an integration with Azure AD.

No users or hosts are being integrated with AskCody

When encountering a situation in which no users or hosts are integrated with AskCody by using Azure AD Integration, please check the following:

Check whether the Azure AD Integration has started, and it is running

In order to make sure this is the case, please go to the Azure AD integration configuration portal in the Admin Center and check the top bar in the Azure AD Integration. If the integration has started, it will look like this:
AskCody Azure AD Sync Started

If the integration has not started, it will look like this:AskCody Azure AD Sync Paused

To start the integration, please click on the button located on the top right corner:

Azure AD Sync start sync button
  • Check the integration logs

    Located on the left panel of the Azure AD Integration configuration portal, the logs will display relevant information about the integration. If the integration has encountered errors in its process, they will have the following format:
Azure AD Sync log with failures


If your Azure AD Integration has an error with the text "Failed processing changes" and is highlighted in red, or if your integration has been paused for over 30 days, please contact support or write support@askcody.com and send either a screenshot that looks like the image above in your integration or the two lines of text located below the "Process Changes" title.

Some users or hosts are not being integrated with AskCody

If when using an Azure AD Integration you encounter a scenario where some users and/or hosts are being integrated with AskCody, but others are being left out, please check the following:

Check the integration logs

Located on the left panel of the Azure AD Integration configuration portal, the logs will display relevant information about the integration. When a user has been left out of the integration, it will display one, or several errors with the following format:
Azure AD Sync log with failures and warnings


These types of errors contain a short description of the reason why the user is not being integrated, or why it will be disabled from AskCody. The Object ID displayed corresponds to the Object ID of the user in your organization's Azure Active Directory, and can be found on the user's profile in Azure Active Directory.

Here are the most common reasons for which a user can be excluded from integration, and troubleshooting options for each one of them:

User with object ID XXXXX was not found in Microsoft Graph and will be disabled in AskCody:
  • If you get the error the first time you run the Azure AD Integration: There might have been recent changes in the profile of that user in your organization's Azure Active Directory (such as deleting it or changing its group memberships) which can take some time to propagate and be applied. When changes are updated and have propagated in your organization's Azure Active Directory, the Azure AD Integration will reflect the behavior in AskCody (the user will be integrated, or left out of the integration, depending on the configuration in Azure Active Directory).
  • If you get this error and your Azure AD Integration has been running for more than one hour: The user was found previously in your organization's Azure Active Directory and was integrated into AskCody, but it is not found anymore (most likely because the user was removed from your organization's Azure Active Directory, or the integrated groups by you, or an IT Administrator from your organization), so it will be disabled in AskCody. If you want to enable this user again in AskCody, please double-check that the user is a member (in Azure Active Directory) of both the root group and at least one of the groups used for role provisioning, memberships, and assignments.

User with object ID XXXXX is invalid and will be disabled in AskCody. Reason: User has no given name: The user was found in the groups integrated via the Azure AD Integration, but as it does not have a first name in your organization's Azure Active Directory, it will not be integrated. To have this user integrated, please fill out the "First name" attribute of the user in the Azure Active Directory.

User with object ID XXXXX is invalid and will be disabled in AskCody. Reason: User has no surname: The user was found in the groups integrated via the Azure AD Integration, but as it does not have a last name in your organization's Azure Active Directory, it will not be integrated. To have this user integrated, please fill out the "Last name" attribute of the user in the Azure Active Directory.

User with object ID XXXXX is invalid and will be disabled in AskCody. Reason: User has no email: The user was found in the groups integrated via the Azure AD Integration, but as it does not have an e-mail in your organization's Azure Active Directory, it will not be integrated. To have this user integrated, please provide the user with a valid e-mail address (Azure AD "Mail" attribute) and a valid Office 365 license in Azure Active Directory. 

User with object ID XXXXX is not a member of the root group with ID XXXXX in Azure AD and will be disabled in AskCody: The user is not a member of the group you selected as "Root group" in the Azure AD Integration. To have this user integrated, please go to the user's profile in Azure Active Directory and make it a member of the group used as the root group.

Failed syncing group XXXXX: The groups used in the Azure AD Integration must be security-enabled and not mail-enabled. Please check whether this is the case in the group's configuration in your Azure Active Directory and make adjustments if necessary. After making the changes, the next time the Azure AD Integration runs, it will attempt to integrate with the group that previously failed. The integration runs hourly.

Additionally, please check in your organization's Azure Active Directory the following conditions on the profile of the user(s) not being integrated:

  • The user account must be enabled in Azure Active Directory.
  • The user account must not be blocked in Azure Active Directory.
  • The User type property when checking the group memberships of the users in Azure Active Directory must be different from "Guest".

To troubleshoot for when specific users or groups are not being integrated with Azure AD Integration, please see the following article, which contains instructions on how to proceed in this case: integrate individual users or groups with Azure AD Integration.

Integration paused for over 30 days


Due to an Azure Active Directory limitation, the Azure AD Integration can only detect changes made in your Azure Active Directory over the past 30 days, so if your Azure AD Integration has been paused for over 30 days, it will not be able to process changes and fail. If this is your case, please contact support or write support@askcody.com and send a screenshot of the integration logs.

When adding groups into Azure AD Integration, I cannot find the groups I want to integrate

If you are having issues finding the groups while configuring your Azure AD integration in the AskCody Management Portal, it most likely means that the group(s) you are searching for, are not security-enabled, which is a requirement for Azure Active Directory groups to be integrated into AskCody. To fix this issue, please check on the group's configuration in Azure Active Directory whether the group's type is "Security".

After checking these settings, if there are any changes made in your Azure Active Directory, the sync will automatically update the changes into AskCody within the hour. To update immediately, you can pause and resume the Azure AD Integration and check the integration logs to get more information about the processed changes.

If your issue persists, please contact support or write support@askcody.com and send a screenshot of the integration logs.