Azure AD sync fails to add users to the group via auto-provisioning if the group has security_admin roles granted. 

Release or Environment

  • Instance on London or Later releases.
  • Configuration for auto user provisioning with Azure Active Directory done. 
  • The group in which the user has to be provisioned has a Security_admin role assigned. 


There are some design changes in the sys_user_role ACL with the READ operation since the London release. Per the change we have locked the contains role checks in the ACL for READ operations.


Remove the security_admin role from the group role for the user to sync/provisioned to the group.

Additional Information

The security_admin role is an elevated privilege role provided with High-Security Settings that lets users create and change access controls and change High-Security Settings.

In the base system, only the default System Administrator (admin) user has the security_admin role. Since it requires elevating privileges, the admin user does not have this role at login. After elevating privileges, the admin user has the security_admin role for the duration of the user session.


Article Information

Last Updated:2020-09-16 05:22:38