Frequently Asked Questions
Q: How long does the initial sync take?
A: It depends on the number of users in your Entra ID directory. Users are processed in batches of 100. For most organizations, the initial sync completes within a few minutes.
Q: How quickly do changes in Entra ID appear in ZenQMS?
A: Changes are synced in near real-time via Microsoft Graph change notifications. Most changes appear in ZenQMS within a minute of occurring in Entra ID.
Q: What happens if I update a user directly in ZenQMS?
A: That change will remain in ZenQMS. However, if the same user is later updated in Entra ID, the Entra ID data will overwrite the ZenQMS data for the mapped fields (name, email, title, active status).
Q: Can I re-run the initial sync?
A: Yes. You can redeploy the integration instance to trigger another initial sync.
Q: What happens if the integration is removed?
A: When the integration is deleted, all external_id links between Entra ID and ZenQMS users are cleared. User accounts in ZenQMS are not deleted or modified otherwise. You can re-deploy the integration later and it will re-link users.
Q: What if a user in Entra ID is missing required fields?
A: Users without a mail address, given name, surname, or job title will be skipped during sync. Check the integration logs for details on which users were skipped.
Q: Does this integration delete users from ZenQMS?
A: No. Disabling a user account in Entra ID sets them to inactive in ZenQMS. Users are never deleted.
Q: What happens to roles that are not part of a mapping?
A: They are not affected. The integration only manages roles that are explicitly mapped to an Entra ID group. All other role assignments remain unchanged.
Q: What if a ZenQMS role is mapped to multiple Entra ID groups?
A: The integration handles this gracefully. A role is only removed from a user when they are not a member of any of the Entra ID groups mapped to that role. If the user is still in at least one mapped group, the role is kept.
Q: Can I disable the integration temporarily?
A: Yes. You can pause or disable the integration instance. While disabled, no events from Entra ID will be processed. Re-enable it when you are ready to resume syncing.
Q: What Microsoft Entra permissions does the integration need?
A: The integration requires three Microsoft Graph Application permissions: User.Read.All (to read user profiles), Group.Read.All (to read groups), and GroupMember.Read.All (to read group memberships). An admin must grant consent for these permissions.
Q: Does the admin who sets up the App Registration need to be a Global Administrator?
A: An admin with sufficient privileges to create App Registrations and grant admin consent for the required API permissions is needed. This is typically a Global Administrator or an Application Administrator with consent privileges.
Q: How do I know if the integration is working?
A: Check the execution logs in the integration platform. Each sync event (initial sync, user change notification, group change notification) is logged with its status, including any errors or skipped users.