Documentation Index
Fetch the complete documentation index at: https://docs.neuraltrust.ai/llms.txt
Use this file to discover all available pages before exploring further.
Manual User Sync
Manual User Sync allows you to import users from Microsoft Entra ID groups with a single click. Unlike SCIM (which syncs automatically), Manual Sync gives you full control over when users are imported.Benefits
- On-demand import: Sync users when you’re ready
- Preview before sync: Review which users will be imported
- Role-based access: Users get roles based on group mappings
- No Azure Enterprise App needed: Uses your existing SSO app registration
Prerequisites
Before using Manual User Sync:- SSO must be configured and working
- Role mappings must be set up
- API permissions must be granted:
User.Read.AllGroupMember.Read.AllGroup.Read.All
Part 1: Set Up Group Mappings
Before syncing users, you need to map Azure AD groups to NeuralTrust roles.Step 1: Open User Sync Settings
- Log in to NeuralTrust as Owner or Admin
- Go to Settings → SSO
- Click the Entra ID User Sync tab
Step 2: Add Group Mappings
- Click Add Group Mapping
- Select an Azure AD group from the dropdown
- Choose the role to assign (Owner, Admin, or Member)
- For Member role, optionally configure product access
- Enable Auto Sync to include in sync operations
- Click Save
If no groups appear in the dropdown, verify that your app registration has
Group.Read.All permission with admin consent granted.Part 2: Preview and Sync Users
Step 1: Preview Sync
- Go to Settings → SSO → Sync Users tab
- Click Preview Sync
- Review the list showing:
- User email and name
- Source Azure AD group(s)
- Role that will be assigned
- Action: Create (new user) or Update (existing user)
Step 2: Execute Sync
- Review the preview carefully
- Click Sync Now
- Wait for the sync to complete
- Check the Synced Users tab to verify imported users
What Happens During Sync
| Scenario | Action |
|---|---|
| New user (not in NeuralTrust) | Account created with mapped role |
| Existing user (already in team) | Role updated if different |
| User removed from Azure group | Not automatically removed — use SCIM for auto-deprovisioning |
| User in multiple mapped groups | Gets role from first matching mapping |
Part 3: View Imported Users
Step 1: Check Synced Users
- Go to Settings → SSO → Synced Users tab
- View all users imported via Manual Sync
- See their assigned roles and source groups
Step 2: Verify in Team Members
- Go to Settings → Team
- Confirm users appear with correct roles
- Verify they can sign in via SSO
Comparison: Manual Sync vs SCIM
| Feature | Manual Sync | SCIM |
|---|---|---|
| Sync trigger | Manual (on-demand) | Automatic (every 40 min) |
| User creation | ✓ | ✓ |
| User updates | ✓ | ✓ |
| User deprovisioning | ✗ Manual removal | ✓ Automatic |
| Azure setup | SSO app only | Separate Enterprise App |
| Best for | Controlled onboarding | Fully automated lifecycle |
Troubleshooting
| Issue | Cause | Solution |
|---|---|---|
| No groups in dropdown | Missing API permissions | Add Group.Read.All and grant admin consent |
| ”No users to sync” | No users in mapped groups | Add users to Azure AD groups, or check group mappings |
| User not synced | Not in any mapped group | Verify user is member of a group with Auto Sync enabled |
| Wrong role assigned | Multiple group memberships | Check mapping order; first match wins |
| Sync failed | Token expired or invalid | Re-test SSO connection, regenerate client secret if needed |
Security Best Practices
- Review before syncing — Always use Preview to verify which users will be imported
- Use Azure AD groups — Manage access through groups, not individual assignments
- Regular audits — Check imported users periodically in the Synced Users tab
- Monitor audit logs — All sync operations are logged in Audit Logs
Related Documentation
- Configure SSO — Set up SSO and role mappings
- Configure SCIM Provisioning — For fully automated user lifecycle
- Audit Logs — Monitor sync and access events
- SIEM Integration — Forward events to your security platform