Faster AD Sync: Delta Sync for Users, Groups, and Memberships

January 28, 2026 · GrantFlow Team

Keeping GrantFlow in sync with your on-premises Active Directory no longer means running a full directory scan every cycle. We've shipped delta sync for AD users, groups, and group memberships — so changes propagate quickly without the overhead of scanning your entire directory.

The problem

Full AD sync works, but it doesn't scale elegantly. Large directories with tens of thousands of users and hundreds of groups can take minutes to fully scan, and running that scan frequently enough to keep data fresh creates meaningful load on both the AD agents and the domain controllers. The result is usually a compromise: sync too often and pay the performance cost; sync too infrequently and risk stale eligibility data.

What's new

GrantFlow agents now maintain an incremental state for each connector and request only the changes since the last sync:

  • Delta sync for users — only modified or newly created users are fetched each cycle; tombstoned (deleted) objects are detected and removed
  • Delta sync for groups — group attribute changes sync without re-reading every group in scope
  • Delta sync for memberships — group membership changes (additions and removals) are detected incrementally, so large groups don't cause a full re-read
  • Per-connector schedules — each connector has its own sync schedule with configurable interval and a small random jitter to prevent agents from flooding the domain controller at the same second
  • Guardrails — if a delta sync returns an unexpectedly large change set (for example, after a bulk AD operation), GrantFlow automatically falls back to a scoped full sync and flags the event
  • Observability — sync duration, object counts, lag from last change, and backoff events are now surfaced in connector health telemetry

What this means in practice

A typical deployment that previously ran a 15-minute full sync can now run delta syncs every 2–3 minutes with a fraction of the agent and domain controller load. Eligibility data stays accurate and up to date, and administrators see fewer cases where a newly added user can't yet request a role because the sync hasn't caught up.

You can monitor sync activity under Admin → Connectors → Jobs, where delta sync cycles appear as ADSync.SyncUsers and ADSync.SyncGroups job entries.

See the Connector Management guide for configuration details.

What's next

We're pairing delta sync with automatic Entra Connect triggering — when GrantFlow makes an AD change for a hybrid-identity user, it immediately kicks off a delta sync on the Entra Connect side to eliminate cloud propagation delays.