Users and/or hosts are not being synchronized with Azure AD

In some cases, after setting up Azure AD integration following the instructions listed on the Help Center Guide users or hosts are not successfully synchronized. The following article contains different scenarios, which are the most likely causes for the different issues and different options to troubleshoot.

Info

Please keep in mind that the first time the Azure AD integration runs, it might take a while to process users. Typically, after one hour of having the integration running, there should already be users and/or hosts in AskCody.

Possible scenarios

 

Note

The first thing to check when troubleshooting an Azure AD Sync is the different group memberships for users in your organization's Azure Active Directory. Please make sure that the users you want to sync into AskCody are members of both your root group, and at least one of the sync groups used for role provisioning, assignments, and memberships. For more information, please refer to the article with the instructions to set up a sync with Azure AD Sync.

No users, or hosts are being synchronized into AskCody

When encountering a situation in which no users or hosts are synchronized into AskCody by using Azure AD Sync, please check the following:

  • Check whether the Azure AD Sync has started, and it is running. In order to make sure this is the case, please go to the Azure AD integration configuration portal in the Admin Center and check the top bar in the Azure AD Sync.

        If the sync has started, it will look like this:

AskCody Azure AD Sync Started

 

        If the sync has not started, it will look like this:

AskCody Azure AD Sync Paused


        To start the sync, please click on the button located on the top right corner:

Azure AD Sync start sync button
  • Check the sync logs

    Located on the left panel of the Azure AD Sync configuration portal, the logs will display relevant information about the sync. If the sync has encountered errors in its process, they will have the following format:
Azure AD Sync log with failures


If your Azure AD Sync has an error with the text "Failed processing changes" and is highlighted in red, or if your sync has been paused for over 30 days, please write support@askcody.com and send either a screenshot that looks like the image above in your sync, or the two lines of text located below the "Process Changes" title.

Some users, or hosts are not being synchronized into AskCody

If when using an Azure AD Sync you encounter a scenario where some users and/or hosts are being synchronized into AskCody, but others are being left out, please check the following:

  • Check the sync logs

    Located on the left panel of the Azure AD Sync configuration portal, the logs will display relevant information about the sync. When a user has been left out of the sync, it will display one, or several errors with the following format:
Azure AD Sync log with failures and warnings

These types of errors contain a short description of the reason for why the user is not being synchronized in, or why will it be disabled from AskCody. The Object ID displayed corresponds to the Object ID of the user in your organization's Azure Active Directory, and can be found on the user's profile in Azure Active Directory.

Here are the most common reasons for which a user can be excluded from a sync, and troubleshooting options for each one of them:

  • User with object ID XXXXX was not found in Microsoft Graph and will be disabled in AskCody:
    • If you get the error the first time you run the Azure AD Sync: There might have been recent changes in the profile of that user your organization's Azure Active Directory (such as deleting it, or changing its group memberships) which can take some time to propagate and be applied. When changes are updated and have propagated in your organization's Azure Active Directory, the Azure AD Sync will reflect the behavior in AskCody (the user will be synced, or left out of the sync, depending on the configuration in Azure Active Directory).
    • If you get this error and your Azure AD Sync has been running for more than one hour: The user was found previously in your organization's Azure Active Directory and was synced into AskCody, but it is not found anymore (most likely because the user was removed from your organization's Azure Active Directory, or the synced groups by you, or an IT Administrator from your organization), so it will be disabled in AskCody. If you want to enable this user again in AskCody, please double-check that the user is a member (in Azure Active Directory) of both the root group and at least one of the groups used for role provisioning, memberships and assignments. 
  • User with object ID XXXXX is invalid and will be disabled in AskCody. Reason: User has no given name: The user was found in the groups synced via the Azure AD Sync, but as it does not have a first name in your organization's Azure Active Directory, it will not be synced. To have this user synchronized, please fill out the "First name" attribute of the user in Azure Active Directory.
  • User with object ID XXXXX is invalid and will be disabled in AskCody. Reason: User has no surname: The user was found in the groups synced via the Azure AD Sync, but as it does not have a last name in your organization's Azure Active Directory, it will not be synced. To have this user synchronized, please fill out the "Last name" attribute of the user in Azure Active Directory.
  • User with object ID XXXXX is invalid and will be disabled in AskCody. Reason: User has no email: The user was found in the groups synced via the Azure AD Sync, but as it does not have an e-mail in your organization's Azure Active Directory, it will not be synced. To have this user synchronized, please provide the user with a valid e-mail address (Azure AD "Mail" attribute) and a valid Office 365 license in Azure Active Directory. 
  • User with object ID XXXXX is not a member of the root group with ID XXXXX in Azure AD and will be disabled in AskCody: The user is not a member of the group you selected as "Root group" in the Azure AD Sync. To have this user synchronized, please go to the user's profile in Azure Active Directory and make it a member of the group used as root group.
  • Failed syncing group XXXXX: The groups used in the Azure AD Sync must be security-enabled and not mail-enabled. Please check whether this is the case in the group's configuration in your Azure Active Directory and make adjustments if necessary. After making the changes, the next time the Azure AD Sync runs, it will attempt to synchronize in the group that previously failed. The sync runs hourly.

Additionally, please check in your organization's Azure Active Directory the following conditions on the profile of the user(s) not being synchronized:

  • The user account must be enabled in Azure Active Directory.
  • The user account must not be blocked in Azure Active Directory.
  • The User type property when checking the group memberships of the users in Azure Active Directory must be different than "Guest".

To troubleshoot for when specific users, or groups are not being synchronized with Azure AD Sync, please see the following article, which contains instructions on how to proceed in this case: Sync individual users or groups with Azure AD Sync.

  • Sync paused for over 30 days

Due to an Azure Active Directory limitation, the Azure AD Sync can only detect changes made in your Azure Active Directory over the past 30 days, so if your Azure AD sync has been paused for over 30 days, it will not be able to process changes and fail. If this is your case, please write support@askcody.com and send a screenshot of the sync logs.

When adding groups into Azure AD Sync, I cannot find the groups I want to synchronize

If you are having issues finding the groups while configuring your Azure AD integration in the AskCody Management Portal, it most likely means that the group(s) you are searching for, are not security-enabled, which is a requirement for Azure Active Directory groups to be synced into AskCody. To fix this issue, please check on the group's configuration in Azure Active Directory whether the group's type is "Security".

After checking these settings, if there are any changes made in your Azure Active Directory, the sync will automatically update the changes into AskCody within the hour. To update immediately, you can pause and resume the Azure AD Sync and check the sync logs to get more information about the processed changes.

If your issue persists, please write support@askcody.com and send a screenshot of the sync logs.