Univention Bugzilla – Bug 56102
configure per group if the group is synced to MS365
Last modified: 2023-06-26 12:30:53 CEST
README.md: [...] 1. Group synchronization doesn't happen by default. The UCR variable `office365/groups/sync` needs to activated for this. After changing that UCR variable the Univention Directory Listener needs to be restarted. Group synchronization may put some load on the server, because the selection of which groups to synchronize happens automatically, by checking nested group memberships of user accounts that are enabled for synchronization. [..] In an environment with a lot of group memberships per user you probably do not want to sync all groups to Azure in which the (M365 activated) user is. It should be possible to restrict the sync to a set of groups. Possible solutions could be - to implement a white/blacklist mechanism like a LDAP filter (configurable per UCR?) - or to give a flag to groups like isM365Group=TRUE/FALSE We should have in mind, that the license information is count as per user and we cannot simply activate full groups (then we miss the information about how many users are activated?).
(In reply to Tim Breidenbach from comment #0) > It should be possible to restrict the sync to a set of groups. > Possible solutions could be > - to implement a white/blacklist mechanism like a LDAP filter (configurable > per UCR?) > - or to give a flag to groups like isM365Group=TRUE/FALSE I don't like the UCR variant for several reasons: - UCR isn't good at large lists (lists of many groups) - the information is bound to one UCS instance and not stored globally - the information is in a different place than the decision which user is synced So on product level this would need to go into UDM/LDAP.