Forum Discussion
API-driven provisioning field mapping changes resynchronize all users and groups
- Sep 17, 2025
The scope of impact is any joined user, which on the Active Directory side can be located anywhere - in our outside of the default creation organisational unit.
The default organisational unit is where creations are effected, but if they're then moved elsewhere in the directory outside of that default organisational unit, the synchronisation process still tracks them based on whichever attribute(s) was nominated as the "match objects using this attribute = yes" definition, as shown below:
As an aside, this holds true for both users and groups.
That's the scope question answered.
Moving onto LJohn's second question of what is "changed" in Active Directory, the answer is all attribute mappings where "apply this mapping = always". Conversely, any attribute mapping where "apply this mapping = only during creation" will not be updated.
Generally speaking, nothing should change other than the attribute whose mapping you've updated.
Just to be clear (I'm probably being overly cautious in making this point), if you update an attribute mapping then that is applied to all joined accounts retrospectively (assuming the provisioning rule has the "update" target objects action setting checked). It isn't the case that the updated rule mapping is only applied to new account creations. This is where the "apply this mapping" setting acts as an important determinant.
Cheers,
Lain
Wondering if you ever got a resolution for this, we are running into the same issue. Not sure if its going to affect our entire AD or just the provisioning OU
- LainRobertsonSep 17, 2025Silver Contributor
The scope of impact is any joined user, which on the Active Directory side can be located anywhere - in our outside of the default creation organisational unit.
The default organisational unit is where creations are effected, but if they're then moved elsewhere in the directory outside of that default organisational unit, the synchronisation process still tracks them based on whichever attribute(s) was nominated as the "match objects using this attribute = yes" definition, as shown below:
As an aside, this holds true for both users and groups.
That's the scope question answered.
Moving onto LJohn's second question of what is "changed" in Active Directory, the answer is all attribute mappings where "apply this mapping = always". Conversely, any attribute mapping where "apply this mapping = only during creation" will not be updated.
Generally speaking, nothing should change other than the attribute whose mapping you've updated.
Just to be clear (I'm probably being overly cautious in making this point), if you update an attribute mapping then that is applied to all joined accounts retrospectively (assuming the provisioning rule has the "update" target objects action setting checked). It isn't the case that the updated rule mapping is only applied to new account creations. This is where the "apply this mapping" setting acts as an important determinant.
Cheers,
Lain