To successfully update a user's access in the Board Application by replacing their existing AD group with a new one. The following steps are followed.
Step-by-Step Process
1. Remove Existing AD Group
• Sync to Microsoft Entra ID occurs within 15 minutes.
• The SCIM provisioning job, which runs every 40 minutes, updates the Board Application.
• Manual monitoring is required to confirm that the permission group has been removed from the Board Application.
2. Add New AD Group
• Once removal is confirmed, assign the new AD group.
• Sync to Microsoft Entra ID again takes 15 minutes.
• The next SCIM provisioning cycle (within 40 minutes) will push the new group to the Board Application.
Timing Overview
• Total time to switch access: Up to 2 hours.
• Microsoft Entra ID sync: ~15 minutes per change (remove/add).
• SCIM provisioning: Runs every 40 minutes.
Issue Identified
The Board Application enforces a strict limitation. A user can only belong to one permission group at a time. If the new AD group is added before the old one is removed, the provisioning fails. Therefore, the correct sequence removal followed by addition must be strictly maintained.
Recommendation Request
To ensure seamless access updates, we request that:
• Board Application should either:
• Implement logic to handle group replacement gracefully (i.e., remove existing group before adding new one),
or
• Provide guidance or automation recommendations for managing group transitions in Microsoft Entra ID to enforce the correct sequence.
