Introduction
The Microsoft Entra ID integration for ZenQMS provides automated, one-way user provisioning and lifecycle management from Microsoft Entra ID (formerly Azure Active Directory) to ZenQMS. By connecting your Entra ID tenant to ZenQMS, user accounts are automatically created, updated, and deactivated in ZenQMS as changes occur in your directory. This eliminates the need for manual user administration in ZenQMS and ensures your quality management system always reflects your current workforce.
When the integration is first deployed, it performs an initial synchronization of all users from Entra ID into ZenQMS. After that, the integration listens for real-time change notifications from Microsoft Graph via subscriptions, so any user lifecycle change (new hire, profile update, account disable, or offboarding) is reflected in ZenQMS within moments. Optionally, you can configure group-to-role mapping so that Entra ID group memberships automatically drive ZenQMS role assignments.
This integration is designed for organizations that use Microsoft Entra ID as their authoritative identity provider and want to keep ZenQMS user records in sync without manual intervention. Entra ID remains the single source of truth for all user data.
What It Does
This is a one-way sync: data flows from Microsoft Entra ID to ZenQMS only. Changes made directly in ZenQMS are not sent back to Entra ID.
Data in Scope
The following user profile fields are mapped from Entra ID to ZenQMS.
Entra ID Field | ZenQMS Field | Notes |
|---|---|---|
id | external_id | Used to link the Entra user to the ZenQMS user |
Required. Used for matching if external_id is not yet set | ||
givenName | first_name | Required |
surname | last_name | Required |
jobTitle | title | Required |
accountEnabled | is_active | true = Active, false = Inactive |
Entra ID Account Status Mapping
Entra ID accountEnabled | ZenQMS Status |
|---|---|
true | Active |
false | Inactive |
Group-to-Role Mapping (Optional)
When configured, Entra ID group memberships are mapped to ZenQMS roles:
One Entra ID group can map to one or more ZenQMS roles
Roles are automatically added when a user is a member of a mapped Entra ID group
Roles are automatically removed when a user is no longer a member of a mapped Entra ID group
Roles marked as "default" in ZenQMS are never removed by the integration
Roles that are not part of any mapping are never touched by the integration
When a single ZenQMS role is mapped to multiple Entra ID groups, the integration checks all mapped groups before removing the role. The role is only removed if the user is not a member of any of the mapped groups.
User Matching Logic
When syncing a user, the integration determines whether to create or update a ZenQMS user using this priority:
Match by external_id (Entra ID User ID) — if the user has been previously linked
Match by email — if the user exists in ZenQMS but has not yet been linked to Entra ID
No match found — a new user is created in ZenQMS (when Initial Sync is enabled)
How Data Flows Between Systems
Two initial sync modes are available:
Enable Initial Sync = ON (Default): Creates new users in ZenQMS for any unmatched Entra ID users, updates profile data for all matched users, and syncs roles if group-to-role mapping is configured.
Enable Initial Sync = OFF: Only links existing ZenQMS users to their Entra ID accounts by matching on email and setting the external_id. Does not create new users or update profile data.
Real-Time User Sync (ongoing after deployment)
The User Flow triggers when a user is created or updated in Entra ID. The integration fetches the full user profile from the Microsoft Graph API and then creates or updates the corresponding ZenQMS user.
Real-Time Group Sync (ongoing, when role mapping is configured)
The Group Flow triggers when group membership changes in Entra ID. The integration processes the membership delta, maps the affected groups to ZenQMS roles, and adds or removes roles accordingly.
Cleanup (runs when integration is removed)
When the integration instance is deleted, all external_id values that were set by the integration are cleared from ZenQMS user records. This unlinks the Entra ID users from ZenQMS so the integration can be cleanly re-deployed in the future if needed.
Limitations
One-way sync only. Changes made to user profiles directly in ZenQMS will not sync back to Entra ID. If the same user is later updated in Entra ID, the Entra ID data will overwrite the ZenQMS changes for mapped fields.
Initial sync syncs all users. The initial sync retrieves all users in your Entra ID directory. This could result in users that are not intended ZenQMS users being synced.
No password sync. Passwords are not synced. Users authenticate through Entra ID (SSO) or through ZenQMS's own authentication, depending on your setup.
Required fields. Users in Entra ID must have a mail address, given name, surname, and job title to be synced. Users missing any of these fields will be skipped.
No custom field sync. Only the fields listed in the data mapping table above are synced. Custom Entra ID user attributes are not supported.
Users are not sent invitations. You would still need to manually invite users to ZenQMS.