Skip to main content

Manual User Sync

Manual User Sync allows you to import users from Microsoft Entra ID groups with a single click. Unlike SCIM (which syncs automatically), Manual Sync gives you full control over when users are imported.

Benefits

  • On-demand import: Sync users when you’re ready
  • Preview before sync: Review which users will be imported
  • Role-based access: Users get roles based on group mappings
  • No Azure Enterprise App needed: Uses your existing SSO app registration

Prerequisites

Before using Manual User Sync:
  1. SSO must be configured and working
  2. Role mappings must be set up
  3. API permissions must be granted:
    • User.Read.All
    • GroupMember.Read.All
    • Group.Read.All
Manual User Sync and SCIM Provisioning are alternative approaches. You can use either one, but using both simultaneously may cause conflicts. Choose the method that best fits your workflow.

Part 1: Set Up Group Mappings

Before syncing users, you need to map Azure AD groups to NeuralTrust roles.

Step 1: Open User Sync Settings

  1. Log in to NeuralTrust as Owner or Admin
  2. Go to Settings → SSO
  3. Click the Entra ID User Sync tab

Step 2: Add Group Mappings

  1. Click Add Group Mapping
  2. Select an Azure AD group from the dropdown
  3. Choose the role to assign (Owner, Admin, or Member)
  4. For Member role, optionally configure product access
  5. Enable Auto Sync to include in sync operations
  6. Click Save
Repeat for each group you want to sync.
If no groups appear in the dropdown, verify that your app registration has Group.Read.All permission with admin consent granted.

Part 2: Preview and Sync Users

Step 1: Preview Sync

  1. Go to SettingsSSOSync Users tab
  2. Click Preview Sync
  3. Review the list showing:
    • User email and name
    • Source Azure AD group(s)
    • Role that will be assigned
    • Action: Create (new user) or Update (existing user)

Step 2: Execute Sync

  1. Review the preview carefully
  2. Click Sync Now
  3. Wait for the sync to complete
  4. Check the Synced Users tab to verify imported users

What Happens During Sync

ScenarioAction
New user (not in NeuralTrust)Account created with mapped role
Existing user (already in team)Role updated if different
User removed from Azure groupNot automatically removed — use SCIM for auto-deprovisioning
User in multiple mapped groupsGets role from first matching mapping

Part 3: View Imported Users

Step 1: Check Synced Users

  1. Go to SettingsSSOSynced Users tab
  2. View all users imported via Manual Sync
  3. See their assigned roles and source groups

Step 2: Verify in Team Members

  1. Go to SettingsTeam
  2. Confirm users appear with correct roles
  3. Verify they can sign in via SSO

Comparison: Manual Sync vs SCIM

FeatureManual SyncSCIM
Sync triggerManual (on-demand)Automatic (every 40 min)
User creation
User updates
User deprovisioning✗ Manual removal✓ Automatic
Azure setupSSO app onlySeparate Enterprise App
Best forControlled onboardingFully automated lifecycle

Troubleshooting

IssueCauseSolution
No groups in dropdownMissing API permissionsAdd Group.Read.All and grant admin consent
”No users to sync”No users in mapped groupsAdd users to Azure AD groups, or check group mappings
User not syncedNot in any mapped groupVerify user is member of a group with Auto Sync enabled
Wrong role assignedMultiple group membershipsCheck mapping order; first match wins
Sync failedToken expired or invalidRe-test SSO connection, regenerate client secret if needed

Security Best Practices

  1. Review before syncing — Always use Preview to verify which users will be imported
  2. Use Azure AD groups — Manage access through groups, not individual assignments
  3. Regular audits — Check imported users periodically in the Synced Users tab
  4. Monitor audit logs — All sync operations are logged in Audit Logs