Faster Hybrid Identity Updates — Automatic Entra Connect Sync

February 24, 2026 · GrantFlow Team

If you manage hybrid identities — users synced between on-premises Active Directory and Microsoft Entra ID — you know the frustration of waiting for Entra Connect to pick up changes. When GrantFlow enables an AD account or adds a user to a group, the corresponding Entra ID state can remain stale for 30 minutes to several hours until the next scheduled sync cycle runs.

That delay is now eliminated.

The Problem

Here is what used to happen when a user checked out a hybrid account:

  1. GrantFlow submits an enable-account job to the on-premises agent.
  2. The agent enables the AD account via LDAP — success.
  3. The AD account is active, but Entra ID still shows the old state.
  4. The user sees "active" in GrantFlow, yet Entra-dependent services reject the account until the next Entra Connect sync.

The same gap existed for group membership changes used in role provisioning. Waiting for the next scheduled cycle created confusion and eroded trust in the platform.

What Changed

GrantFlow's on-premises agent now automatically triggers an Entra Connect delta sync after successfully completing AD operations on hybrid users. The sequence is straightforward:

  1. GrantFlow performs the AD operation (enable, disable, group add, or group remove).
  2. On success, the agent automatically initiates an Entra Connect delta sync.
  3. Entra ID reflects the change within seconds instead of hours.

The sync trigger is best-effort and non-blocking — if it fails, the original operation still succeeded, and the change will propagate on the next scheduled cycle as before.

How Hybrid Users Are Detected

GrantFlow automatically detects hybrid identities when a user exists in both an AD connector and an Entra ID connector with a matching correlation. No manual configuration is required.

Security

The agent service account must be a member of the ADSyncAdmins group on the Entra Connect server to execute the delta sync. The sync operation is restricted to a fixed, safe command — no user-supplied parameters are involved.

What This Means for You

If you run hybrid identities with GrantFlow and Entra Connect, ensure your on-premises agent is updated to the latest version. The automatic sync trigger is enabled by default for all hybrid operations. No additional configuration is needed.