Microsoft Graph fails to report group membership deltas via groups/delta that originate in on-prem AD and sync to Azure

4
votes

When using the groups delta functionality (described here), group membership changes are not being reported if those changes originate in an on-prem AD environment and sync over to Azure. If those same membership changes originate in Azure, they are properly reported as deltas. Note that adding or deleting users is reported properly. It is specifically membership changes that are not being reported.

These changes also do not appear in the audit trail. This has also been reported here by someone else. The audit trail does indicate that the group whose membership has changed was updated, but all that changed was onPremisesLastSyncTime.

Here are some steps to reproduce:

  • In AD, create users and groups
  • Set up AD Connect to import users and groups to Azure
  • AD Connect syncs
  • Get a groups/delta?$expand=members&$deltaToken=latest&$select=displayName token from Azure
  • Move a synced user into a synced group in AD
  • AD Connect syncs
  • Use the token acquired above
  • Note that no group changes are returned, even though the group membership has changed in Azure
1
azureazure-active-directorymicrosoft-graph-apimembershipdelta

1 Answers

0
votes

Microsoft Graph Delta endpoint queries the information from Azure AD.

It should has nothing to do with whether the changes are from on-premise or Azure. As long as the changes you made in on-premise have been successfully synced to Azure, you can query for changes through this API. Because this information is stored in Azure AD.

Besides, we have tested the scenes you described: Delete a user in on-premise AD. The user then is deleted in Azure AD. Microsoft Graph Delta records that this user is deleted, and the member of the group changes.

Please make sure the synchronization is complete after making changes.

If the issue still exists, it's strongly recommended to raise a support ticket on Azure portal to track your Graph request.