Direct-Member Removal in TargetGroup

[dborchers-gc]

Hey @alrios-ms i´ve just see that the GMM-Sync isnt working with direct members inside the targetgroup

When i sync Group A and B to the Group C eveything works perfect. But when i add a direct member to teh Group C he will be removed in the next sync.

Would it be possible to change that in any further update? or make it controllable in the job config?

[danielluo-msft]

Hi @dborchers-gc

The way that GMM works, the destination will always be synced with the users found in all of the source parts so it will overwrite any manual adds / removes that you make in the destination. One way to still support the ability to add manual members would be to create another group D for example that has all of the members that you want to manually add to the group and then update the sync to have Source: A, B, D and Destination: still C. Then you would only add manual members to group D and GMM will continue syncing those members into destination C.

Regards, Dan

[dborchers-gc]

Hi, okay i understand how the GMM works and the workaround with group D would maybe be okay for the most cases.

But how to you get the Changes from the sourcegroups? about the main AAD Logs right? So the GMM will have a look in the logs, saw that there is a change in the source group and apply the changes to the destinationgroup.

I guess there could be two ways to make it possible to have direct members in the destination group - its only a suggestion ;-)

• look at changes inside the destinationgroup who are not created by the Graph-Application (<SolutionAbbreviation>-Graph-<EnvironmentAbbreviation>) and keep them in the dest-group
• if a user is removed from the source-group, remove them from the dest-group, if a user is added to the source group add them to dest-group and everything else will be ignored (so if a user is added or removed from dest group, it will be ignored from the process)

Its only an idea, i know it wouldnt be easy to change the GMM-processes but maybe it could be a good feature

[danielluo-msft]

Hi @dborchers-gc

Yes, this kind of feature is doable, we actually have something similar in the works right now. Regarding the two suggestions

• This would be doable if there are enough requests for a feature like this. For the most part, customers want more peace of mind that the destination group is always accurate according to source groups and that GMM will always keep it that way. As an alternative to the previous proposal of adding group D, you could instead (assuming you only expect additional members to be added to this group and don't expect to remove users often) add group C as a source, so sources: A, B, C and destination: C. But again, this would basically be unable to ever remove users unless they were removed from both source and destination somehow. We have seen behavior like this in a group like a Teams group that people can join or leave at will (the sync period for GMM on this sync would have to be higher so that AAD can update itself for the removals after syncing with Teams).
• We are looking into using deltas instead of fully checking membership so that we can do something like this. Then when source groups have adds / removes, we can get notified and immediately perform our sync to keep the destination up to date in closer-to-real-time rather than every X hours. Although just to be more technically specific, this is performing the sync upon a source update, not just adding / removing based on the update in case we have multiple sources. (For example, if we have sources A, B and destination C: If a user is removed from group A, we don't necessarily remove from C because what if that user still exists in B? Upon adds / removes, we'd still need to check all sources, collect all unique members, and then compare it to previous state.)

Thank you for the feedback, we are definitely looking into adding more functionality for more real-time syncs.