We have performed the Azure / SCIM integration to provision new users into Genesys Cloud using the integration:
the sync includes the group membership, groups were create in Genesys Cloud to provide users 'roles'
The group is used for roles attribution.
The problem was that the roles were first created as visible by owner only.
Azure sync to group was failing until a group was made 'publicly visible'
Once Azure had added a user to that group, group could be set back to 'owner visibility' without impacting on azure's capacity to add members.
I'd need some more context to say exactly how this is expected to behave. Generally, group sync with Azure AD is pretty rudimentary, and I'd expect to not be able to sync if the group isn't visible. I'm actually a little surprised it would continue to sync after toggling visibility back off.
Feel free to contact me directly at richard.schott@genesys.com with the details of your care case so we can investigate a little more directly and get you a more definitive answer.
Yes, SCIM only supports Public Groups by design. Changing it after the fact tricks it into working because it is the search that is limited to matching Public only groups.
This might not be documented. I will make sure we check the documentation for these details.
Hi, Thanks for confirming.
I thought that making the group private would prevent from user's need to chat with these and limite the group for the admin use of defining the roles users would inherit.
Other public groups could be used for internal chats....
So the conclusion is for Azure user provisioning to leave groups as public.
customer implementation of the Azure SCIM sync relies on enforcing user roles via group membership. This works well with groups.
However these groups are not really to be used for internal organisation communication or collaboration but uniquely to define roles.
This is the reason I initially created them as private visible by owner, to keep this layer of organisation only visible to a few Genesys Cloud admins (group owners).
Can this feature be kept ?
Current way is to set the group as public to allow Azure to sync, 1st time, then change to private.