> ## Documentation Index
> Fetch the complete documentation index at: https://docs.neuraltrust.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Manual User Sync

> Synchronize users from Microsoft Entra ID groups on-demand. Import users with role assignments based on group mappings.

# Manual User Sync

Manual User Sync allows you to import users from Microsoft Entra ID groups with a single click. Unlike SCIM (which syncs automatically), Manual Sync gives you full control over when users are imported.

## Benefits

* **On-demand import**: Sync users when you're ready
* **Preview before sync**: Review which users will be imported
* **Role-based access**: Users get roles based on group mappings
* **No Azure Enterprise App needed**: Uses your existing SSO app registration

## Prerequisites

Before using Manual User Sync:

1. [SSO must be configured](/platform/sso) and working
2. [Role mappings must be set up](/platform/sso#part-4-configure-role-mapping-optional)
3. API permissions must be granted:
   * `User.Read.All`
   * `GroupMember.Read.All`
   * `Group.Read.All`

<Warning>
  Manual User Sync and SCIM Provisioning are **alternative approaches**. You can use either one, but using both simultaneously may cause conflicts. Choose the method that best fits your workflow.
</Warning>

***

## Part 1: Set Up Group Mappings

Before syncing users, you need to map Azure AD groups to NeuralTrust roles.

### Step 1: Open User Sync Settings

1. Log in to <a href="https://app.neuraltrust.ai" target="_blank">NeuralTrust</a> as Owner or Admin
2. Go to <a href="https://app.neuraltrust.ai/settings/sso" target="_blank">Settings → SSO</a>
3. Click the **Entra ID User Sync** tab

### Step 2: Add Group Mappings

1. Click **Add Group Mapping**
2. Select an Azure AD group from the dropdown
3. Choose the role to assign (Owner, Admin, or Member)
4. For Member role, optionally configure product access
5. Enable **Auto Sync** to include in sync operations
6. Click **Save**

Repeat for each group you want to sync.

<Note>
  If no groups appear in the dropdown, verify that your app registration has `Group.Read.All` permission with admin consent granted.
</Note>

***

## Part 2: Preview and Sync Users

### Step 1: Preview Sync

1. Go to **Settings** → **SSO** → **Sync Users** tab
2. Click **Preview Sync**
3. Review the list showing:
   * User email and name
   * Source Azure AD group(s)
   * Role that will be assigned
   * Action: **Create** (new user) or **Update** (existing user)

### Step 2: Execute Sync

1. Review the preview carefully
2. Click **Sync Now**
3. Wait for the sync to complete
4. Check the **Synced Users** tab to verify imported users

### What Happens During Sync

| Scenario                        | Action                                                           |
| ------------------------------- | ---------------------------------------------------------------- |
| New user (not in NeuralTrust)   | Account created with mapped role                                 |
| Existing user (already in team) | Role updated if different                                        |
| User removed from Azure group   | **Not automatically removed** — use SCIM for auto-deprovisioning |
| User in multiple mapped groups  | Gets role from first matching mapping                            |

***

## Part 3: View Imported Users

### Step 1: Check Synced Users

1. Go to **Settings** → **SSO** → **Synced Users** tab
2. View all users imported via Manual Sync
3. See their assigned roles and source groups

### Step 2: Verify in Team Members

1. Go to <a href="https://app.neuraltrust.ai/settings/team" target="_blank">**Settings** → **Team**</a>
2. Confirm users appear with correct roles
3. Verify they can sign in via SSO

***

## Comparison: Manual Sync vs SCIM

| Feature                 | Manual Sync           | SCIM                      |
| ----------------------- | --------------------- | ------------------------- |
| **Sync trigger**        | Manual (on-demand)    | Automatic (every 40 min)  |
| **User creation**       | ✓                     | ✓                         |
| **User updates**        | ✓                     | ✓                         |
| **User deprovisioning** | ✗ Manual removal      | ✓ Automatic               |
| **Azure setup**         | SSO app only          | Separate Enterprise App   |
| **Best for**            | Controlled onboarding | Fully automated lifecycle |

***

## Troubleshooting

| Issue                 | Cause                      | Solution                                                   |
| --------------------- | -------------------------- | ---------------------------------------------------------- |
| No groups in dropdown | Missing API permissions    | Add `Group.Read.All` and grant admin consent               |
| "No users to sync"    | No users in mapped groups  | Add users to Azure AD groups, or check group mappings      |
| User not synced       | Not in any mapped group    | Verify user is member of a group with Auto Sync enabled    |
| Wrong role assigned   | Multiple group memberships | Check mapping order; first match wins                      |
| Sync failed           | Token expired or invalid   | Re-test SSO connection, regenerate client secret if needed |

***

## Security Best Practices

1. **Review before syncing** — Always use Preview to verify which users will be imported
2. **Use Azure AD groups** — Manage access through groups, not individual assignments
3. **Regular audits** — Check imported users periodically in the Synced Users tab
4. **Monitor audit logs** — All sync operations are logged in [Audit Logs](/platform/audit-logs)

***

## Related Documentation

* [Configure SSO](/platform/sso) — Set up SSO and role mappings
* [Configure SCIM Provisioning](/platform/scim) — For fully automated user lifecycle
* [Audit Logs](/platform/audit-logs) — Monitor sync and access events
* [Integrations](/platform/alert-integrations) — Forward alert findings to your security platform
