Dynamic IDP Groups: Entra (Office 365)

Using the Dynamic IdP groups functionality reduces the time spent creating groups and manually adding or removing members in two places. Now, you will be able to work with the groups that have already been made within Office 365 and use them for workflows and assignments within Vanta! 

What are Groups?

  • Multiple users with similar responsibilities, tasks, or job descriptions can be grouped.
  • Groups can then assign Checklists to multiple users, making it easier to manage which tasks are assigned to specific people.

Prerequisites 

  • To leverage the connection between Vanta and Entra (Office 365), the Vanta O365 Integration app must be assigned to the desired employees & groups you wish to manage in your Entra ID  Admin Center
    Please see Controlling Scope Through Entra (Office 365) to configure your account before importing IDP groups

Importing Groups from Entra (Office 365)

  • Select People, then click on the Groups tab
  • Click on the + Add Groups drop down in the top right-hand corner, then select Add from identity providers

  • From here, you will be asked to select which groups you would like brought Into Vanta.
    • Select the check box next to the group name to signify they should be imported.

 

  • Clicking on the group will allow you to view all detected members

  • Once you have selected, click Add Group in the lower right-hand corner. 
  • Click on the newly created group to assign onboarding/offboarding tasks. To apply an exisiting  task set, click on the action button represented as 3 dots 

  • Click Save
  • The imported groups will appear on your groups' list with the Source as  Entra (Office 365)
  • Checklists for an identity provider imported group can be updated similarly to any other list or group.

Updating Groups in Entra (Office 365)

  • When adding or removing users from groups within Entra, that information will automatically be updated and reflected in Vanta on the next sync.
  • If you don't see the changes reflected immediately, select the action button represented by 3 dots, then click Refresh groups from Entra (Office 365) to force the update.

Reassigning Groups 

  • Once a user is assigned to a group through Entra (Office 365), their group cannot be reassigned from within Vanta.
  • To control the user's group through Vanta, remove the user from the Entra (Office 365) created group or delete the imported group in Vanta.
  • If you rename a group imported from Entra Office 365, the name change must be made within Entra ID and Office 365. Once saved, the name change will also be reflected in Vanta.

Removing Imported Groups

  • The imported group must be deleted to remove an Office 365 group import.
    • To delete a group, open the Groups tab and select the Entra (Office 365) imported group you would like to remove
    • Select the options menu represented by 3 dots, and select Delete
  • When this happens, all existing identity provider group users are reassigned to their prior Vanta groups, and the identity provider group is removed from Vanta. The group can always be re-imported if the admin changes their mind.

Please keep in mind that:

    • We do not support IDP groups with more than 8,000 employees. Users will not see groups with more than 8,000 employees show up in the UI when importing groups. 
    • We don't support fetching more than 10,000 groups for our Entra (Office 365) IDP group integration due to rate limits imposed by Microsoft. If a user has 10,000+ groups, only the first 10,000 will be available for import.
    • Changes from identity providers are only reflected when resources are refreshed on a two-hour cadence. Customers can also trigger these refreshes from the group's drawer on the group's page.
    • Suppose a user is in multiple groups in their identity provider, and both groups are imported within Vanta. In that case, we place the user into the last imported group in Vanta by default. This can subsequently be changed from the people page by editing the group for a user.

 

Updated