Security Group renames

Hello,

DVLS uses the ObjectID of the group to bind it to the Azure AD group. Even if the name doesn't reflect what you have in Azure, it keeps the same group information.

Here is what I get on my DVLS after renaming the EP_Level3 group to EP_Level3_A

In DVLS User Groups:



On Azure Groups:



When I want to import the group:



I will ask our developer team if they can do something about this scenario in DVLS.

Best regards,

Hello Stuart,

We already have an internal ticket opened to improve the Identity Provider synchronization process for the User Groups as we have for the Users. This is planned for version 2024.3 this fall.

Let us know if you have any more questions about this.

Best regards,

Coming back to this, I have noticed that this isn't the case for users themselves.

If a user's UPN is changed in Azure, this change doesn't occur in RDMS user list which means that there is a mismatch for Azure SSO and the login fails. There is no way to edit the username in the RDMS admin console so the only solution is to delete their RDMS account so that next time they try to login it creates a new account.

Hello,

An SQL query can be used to update the username or group name. I will send it to you in a private message.

Best regards,

Thanks - that SQL is very helpful - will use that.

Probably something that should be able to be automated as part of a nightly maintenance routine - similar to the log cleanups.

Hello,

Thank you for your feedback.

I'm glad that the query helped to fix the problem while we are waiting for the improvement to be implemented in version 2024.3.

Best regards,

Hello,

When updating a username in Azure, we strongly recommend using the Synchronize users from provider(s) button on the Users management page on the DVLS UI.





With this feature, the UPN will be updated automatically without having you run SQL queries on the database.

Best regards,

Thanks Erica, great enhancement.

Would be good if we could schedule this to run automatically - say every 6 hours or something.

It would also be good if users who were marked as deleted in Azure were removed from RDMS as part of this sync.

Hello,

The developer team plans to introduce a synchronization schedule feature for users and user groups in version 2024.3. If a user is deleted from the authentication provider, it will be disabled in DVLS and won't use any license. We cannot provide a date when this will be available, but it's on their improvement list.

Thank you for your collaboration.

Best regards,

Hi there,

We are experiencing the same issue where an Active Directory group was renamed, but Devolutions Server is not reflecting the name change. Could you send me the SQL query to fix this? We are running 2024.3.

Thank you,

Kara

Hello,

There is no longer a need to run the query on the SQL database. You can use the Group synchronization tool in Administration - Groups to update the group names.



Let us know if that helps.

Best regards,

Thanks Erica, great news.

We've had issues in the past where we rename a group in Azure and it breaks all the permissions so I guess it was using the group name rather than the group ID. Does this process fix that?

When I run the manual sync from Microsoft on groups, it comes up with four groups to delete, and three of those groups definitely exist and have members in them.

Also, getting NaN and can't set time, then when I save it gives errors about invalid time which I can't screenshot quick enough.



The sync scheduler also needs an option to set what to do with accounts that don't match. If I run it manually I get this option, but not for the scheduler.

Hello Stuart,

The permissions now use the IDs of the groups and users, so renaming a group or even a user will not affect the permissions.

Do the 3 groups that the feature identifies as being deleted have the same OID in the DVLS database and in Azure? You can get that information with the following query on the DVLS SQL database. The ObjectID is in the ExternalID column.

SELECT [Name]
      ,[UserType]
      ,[AuthenticationType]
      ,[ExternalId]
  FROM [dbo].[UserSecurity]
  WHERE UserType = 1 and AuthenticationType = 8

I cannot replicate this problem on my side for the scheduled sync. What browser are you using? Does it work in an incognito browser session?



Finally, for your other question, as I cannot split your reply to create a post in the Feature request section, would you be kind enough to do it?

Best regards,

Nope, the object ID is different for all those groups.

I'm using Firefox - same issue in private tab.

Yep, will post in feature request.

Hello,

Thank you for your feedback.

We use the ObjectID to identify it on the Identity Provider, which is why you get the prompt to delete three of them. Do you know if those groups were recently recreated in Azure?

Best regards,