Group synchronization

To reduce the burden of manual user administration, the Itron Identity Service uses the following method to facilitate group membership synchronization.

1. The application administrator maps AAD Security Groups to Itron Application Roles. This is a one-time activity.

2. The security administrator routinely adds new users to groups or changes the group memberships of existing users.

3. Using scheduled background jobs, Identity detects user accounts that have been recently added to a mapped AAD group, and then ensures that each user-invitation entry (representing a user) is created automatically.

4. Background jobs update role assignments for newly invited users and for existing users with altered AAD group memberships.

With the proper configuration settings, AAD will include each user's group membership information in the access token issued at the time of authentication. The Identity Service relies on this information and requires continued read access to the active directory for the following reasons:

• The number of groups that can be included in a token is limited to 200 entries, which is being exceeded for some customers. In such situations, we need to extend the information by directly calling the AAD directory services.

• Retrieving membership information only at authentication time would not allow us to automatically link newly created customers.