Importing Microsoft Entra groups creates additional users
search cancel

Importing Microsoft Entra groups creates additional users

book

Article ID: 384426

calendar_today

Updated On: 01-15-2025

Products

IT Management Suite

Issue/Introduction

You are using the following document in order to use the new functionality introduced with importing objects from Microsoft Entra:

Using ITMS with Microsoft Entra:
https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/dita/symantec-security-software/endpoint-security-and-management/it-management-suite/generated-pdfs/Using_IT_Management_Suite_with_Microsoft_Entra.pdf


You have configured the Entra connection to your Tenant. When adding a group and syncing in your SMP (Symantec Management Platform) Server, it creates a new user. You don't know if this is expected behavior or not. These are on-prem accounts, sync'd to your company's Tenant and would prefer to not have duplicates.

Example of duplicates:

"AZUREAD\JohnDoe"
"John Doe"

Environment

ITMS 8.7.1, 8.7.2, 8.7.3

Cause

Current functionality. This Use case was not considered originally:
User is imported from local AD and from Azure AD. What looks common between these users is a e-mail address (some other entries also - name, phone etc. but e-mail looks more useful as a merge key). 

This is a common issue we run into with user matching. We are using UserPrincipalName from the claim to match an existing user e.g. JohnDoe@example.com. The existing user in the SMP Server has sAMAccountName set as the username .e.g. JohnDoe. This user would not exist in SMP Server hence a new/duplicate user is created.

Resolution

This use case has been addressed in our next release: ITMS 8.8.

New APIs were created to get the necessary resource keys. Full implementation will be available in ITMS 8.8 Release.

A Pointfix will contain the simplified version of those changes for those customer using ITMS 8.7.2 and 8.7.3 releases.
See CUMULATIVE POST ITMS 8.7.2 POINT FIXES
See CUMULATIVE POST ITMS 8.7.3 POINT FIXES

After the improvements are applied, now a user will see new Items in the SMP Console:

By default existing AD import or Cloud AD Import rules have new check-box "Custom resource keys and names" checked

More details on how this new “Custom resource keys and names” option works, please refer to KB 385966 "Controlling how local AD imported users or Azure AD imported users names are be stored in “Symantec_CMDB” database or merged by directoryid resource key"