Operational Defect Database
BugZero found this defect 910 days ago.
Data sources
All data on this page is proprietary to BugZero® or gathered from public sources
WatchGuard Technologies | kA16S000000SNgeSAG
AuthPoint does not update or delete synced Azure Active Directory user accounts
Last update date:
6/1/2023
Affected products:
No affected products provided.
Affected releases:
Any/Unknown
Fixed releases:
All
Description:
Issue
You deleted or changed a user in Azure Active Directory, but when AuthPoint syncs with Azure Active Directory (AD) the user account remains unchanged in AuthPoint. This happens because of an Azure AD bug. When an administrator modifies a user account in Azure AD, for a short time after the change is made, the Azure AD response to information requests from AuthPoint incorrectly indicate that the user has not changed. Because of this, if AuthPoint syncs with the Azure AD database shortly after a user has been changed, the response from Azure AD does not reflect that change and AuthPoint does not know to update the user. AuthPoint loses the history of the change, and future syncs will not update the user account. This issue can also cause the initial import of Azure Active Directory users to fail.
Workaround/Solution
The steps below are a temporary work around. WatchGuard plans to address this issue as part of future improvements to the WatchGuard Cloud Authentication Domains feature. We are enrolled in a private preview program to update our Azure Active Directory experience in 2024. For more information, see Microsoft Private Preview for External MFA Providers. Before you begin, you must make sure that the Quarantined Users Cleanup setting is not enabled. If AuthPoint is configured to automatically remove quarantined users, disable this setting until after the steps below are complete. We also recommend that you make sure your Azure AD external identity is configured correctly and AuthPoint can connect to Azure AD. To test this, on the External Identities page in AuthPoint, next to the external identity for Azure AD, open the menu and select Check Connection. To forcefully update the Azure AD user account in AuthPoint, you must create a new external identity and execute a full synchronization of their Azure AD users. This process requires that all user accounts synced from Azure AD become temporarily quarantined in AuthPoint. Quarantined user accounts cannot authenticate. To avoid disruption of service for end-users, we recommend that this workaround be done after working hours. This is a temporary work around. We are working to find a solution for this issue. To forcefully update and resync Azure AD user accounts in AuthPoint: Create a new Azure AD external identity with the same settings as the existing external identity.Make sure your new external identity is configured correctly and AuthPoint can successfully connect to Azure AD. On the External Identities page, next to the new external identity for Azure AD, open the menu and select Check Connection.Delete the previous Azure AD external identity. When the external identity is deleted, all AuthPoint users synced from Azure AD become quarantined.Next to the new Azure AD external identity, open the menu and select Start Synchronization. When the synchronization is complete, all quarantined AuthPoint user accounts that exist in Azure AD become active again. Any Azure AD user accounts that have been changed are now updated in AuthPoint. Azure AD user accounts that were deleted remain quarantined in AuthPoint, and can now be deleted (synced Azure AD users can only be deleted in AuthPoint if they have the Quarantined user status).
