Group and Role Member Synchronization
GrantFlow automatically synchronizes group and role membership data from your connected directories, giving you visibility into who belongs to which groups and roles. This information helps administrators make informed decisions about privileged access assignments and validate that the right people have the right access.
How Member Sync Works
When you configure an Entra ID or Active Directory connector, GrantFlow periodically fetches membership information for groups and roles that are actively used in your PAM policies. This synchronization happens automatically in the background, ensuring your membership data stays current without manual intervention.
Entra ID Synchronization
For Entra ID connectors, GrantFlow uses the Microsoft Graph API to retrieve:
- Group Members: All users who are direct members of Entra ID security groups and Microsoft 365 groups
- Role Members: Users assigned to Entra ID directory roles (like Global Administrator, User Administrator, etc.)
The sync process respects Microsoft Graph pagination and handles large groups efficiently by fetching members in batches.
Active Directory Synchronization
For on-premises Active Directory, the AD agent retrieves membership through LDAP queries:
- Group Members: Users in AD security groups, including nested group membership resolution
- Distinguished Name (DN) to SID Mapping: GrantFlow maintains a cache that maps AD distinguished names to Security Identifiers (SIDs) for efficient lookups
The AD agent performs these queries during its regular sync cycles, and results are sent back to the GrantFlow API through secure, outbound-only connections.
What Gets Synchronized
Member sync focuses on groups and roles that are actively in use within your GrantFlow configuration. This targeted approach minimizes unnecessary API calls and database storage while ensuring you have visibility into the memberships that matter.
Groups In Use
A group is considered "in use" when it's referenced in:
- Role provisioning configurations (target groups for access grants)
- Approver policies (groups whose members can approve requests)
- Account policies (groups associated with privileged accounts)
Roles In Use
An Entra ID directory role is considered "in use" when it's:
- Configured as a target role in role provisioning
- Part of an eligibility or assignment configuration
Viewing Member Information
Member data appears in several places throughout the GrantFlow admin interface:
Assignments View
When viewing role assignments, you can see which users are currently members of the associated groups or roles. This helps you understand the current state of access before making changes.
Role Catalog
The role catalog displays member counts for each configured role, giving you a quick overview of how many users currently have each type of privileged access.
Audit and Compliance
Member sync data supports compliance reporting by providing point-in-time snapshots of who had access to what. This information is invaluable during access reviews and audits.
Unified Memberships
GrantFlow stores all membership data in a unified memberships collection, regardless of whether the source is Entra ID or Active Directory. This provides:
- Consistent querying — Membership lookups use the same data structure regardless of connector type
- Cross-directory visibility — See all group memberships for a user in one place
- Accurate counts — Role catalog member counts reflect the latest sync from all connected directories
Stale Entity Cleanup
When users or groups are removed from a connected directory, GrantFlow automatically detects and cleans up stale membership records:
- Memberships for deleted users are marked as stale and removed during the next sync cycle
- Groups that no longer exist in the source directory are flagged for administrator review
- Stale entity cleanup runs as part of the regular sync process — no manual intervention required
Sync Scheduling
Member synchronization can be configured with flexible scheduling:
| Setting | Description | Default |
|---|---|---|
| Sync interval | How often background sync runs | 15 minutes |
| Full sync schedule | Complete re-sync of all memberships | Daily (24h) |
| On-demand sync | Manual trigger from admin UI | Available anytime |
Entra Connect Hybrid Sync
In environments using Microsoft Entra Connect (formerly Azure AD Connect), GrantFlow can detect and trigger sync operations:
- When a membership change is detected in AD, GrantFlow can signal the Entra ID connector to refresh its data
- This ensures hybrid environments stay consistent without waiting for the full sync interval
- Hybrid sync triggers respect Entra Connect's own sync schedule to avoid conflicts
Sync Timing and Caching
Member synchronization runs on a schedule to balance data freshness with API efficiency:
| Directory Type | Default Sync Interval | Cache Duration |
|---|---|---|
| Entra ID | Every 15 minutes | 24 hours |
| Active Directory | Every 15 minutes | 24 hours |
INFO
The sync interval applies to the background synchronization process. You can trigger an immediate sync for specific groups through the connector management interface when needed.
Cache Behavior
To optimize performance, GrantFlow caches membership data with the following characteristics:
- Per-item TTL: Each cached membership record has its own expiration time
- Incremental updates: Only changed or expired data is refetched
- DN→SID cache: Active Directory distinguished names are mapped to SIDs with a 24-hour TTL to reduce LDAP lookups
Hybrid User Resolution
In environments with both Entra ID and Active Directory, users may appear in both directories. GrantFlow's hybrid user resolution ensures that:
- Users are correctly identified across both directories
- AD Security Identifiers (SIDs) are mapped to Entra ID Object IDs when users are synced
- Notifications and access grants reach the correct user regardless of which directory they're managed in
This resolution happens automatically when processing group memberships, ensuring seamless operation in hybrid identity environments.
Troubleshooting
Members Not Appearing
If group members aren't showing up as expected:
- Check connector status: Ensure the connector is healthy and the last sync completed successfully
- Verify group is in use: Only groups referenced in PAM policies are synced
- Review connector permissions: The connector service account needs permission to read group memberships
- Check sync timing: Wait for the next sync cycle or trigger a manual sync
Stale Member Data
If membership data appears outdated:
- Trigger manual sync: Use the connector management interface to force a sync
- Check for sync errors: Review the connector job history for failed sync operations
- Verify directory connectivity: Ensure the AD agent (for on-premises) or Entra ID connector has network access
Large Group Performance
For groups with thousands of members:
- Initial sync may take longer; subsequent syncs are incremental
- Consider whether all members need to be visible or if a subset would suffice
- Review your group structure to ensure you're not syncing unnecessarily large groups
Best Practices
Use targeted groups: Configure PAM policies to use specific security groups rather than large distribution groups or "all users" groups.
Monitor sync health: Regularly check the connector jobs view to ensure sync operations complete successfully.
Plan for hybrid: If you have both Entra ID and AD, ensure users are properly synchronized between directories for accurate membership resolution.
Review membership regularly: Use the member data as part of your access review process to identify users who may no longer need privileged access.