Directory sync

Once you’ve connected SSO, you can pull users from your identity provider’s directory instead of inviting them one by one. This page covers how imports work, how updates are applied, and what the limits are.

Running an import

Users page → Add users → Import tab.
Select a connected directory (Google or Microsoft).
InPolicy fetches the user list from the provider. Depending on directory size this takes a few seconds to a minute.
Pick users to import:
- Search or filter by department.
- Select individual users, or use Select all to grab everyone on the current page / filter.
Click Import.
InPolicy creates user records, shows a summary (imported / updated / skipped / errors), and you’re done.

The import is a one-shot action. There is no scheduled or automatic sync in the current release — you need to re-run it manually when your directory changes.

What gets imported

For each user, InPolicy stores:

Email — the primary key.
Name — from the directory’s display name.
Avatar URL — if the provider exposes one.
Department — optional; some Workspace/Entra tenants expose this field.

Users are created with the default User role. To give someone a higher role (Policy Editor, Policy Lead, Admin), change their role from the Users page after import.

What happens on re-import

Re-running the import updates existing users:

Name, avatar, department are refreshed from the directory.
Role is not touched — if you promoted someone to Admin, re-importing won’t demote them.
Invitation status is not touched — existing ACTIVE and PENDING users stay as they were.
Deactivated users are not reactivated — a user you deactivated will stay deactivated even if they’re still listed in the directory.

New users (in the directory, not yet in InPolicy) are created with PENDING status. They move to ACTIVE the first time they sign in via SSO.

Handling conflicts

Duplicate emails: the primary-key match means InPolicy always reconciles by email. One directory user → one InPolicy user.
Email changed in the directory: this is treated as a new user. The old InPolicy record is orphaned (still there with the old email). Best practice: if you rename someone at the IdP, update them in InPolicy too.
User deleted from the directory: they remain in InPolicy until you deactivate or delete them manually. Directory sync does not remove users.

Limits

Batch size: directory fetches are paginated; imports of up to ~10k users work fine. Very large directories may hit the provider’s rate limits — if you see errors, import in filtered chunks (by department, for example).
One connection per provider. You can have one Google and one Microsoft connection active on a tenant. Multi-org scenarios need a custom setup.
No scheduled sync. Every import is manual. Plan a recurring reminder if your directory changes frequently.

Troubleshooting

”Failed to fetch directory users”

The OAuth refresh token likely expired. Go to the Import tab → click the directory → Disconnect → Connect again.

”User not found after import”

Sometimes a provider doesn’t expose a user in the list endpoint until they’ve been active for a certain time. Ask them to sign in to Google/Microsoft first, then retry the import.

Check:

Their email domain is on your SSO allowlist.
Their status isn’t DEACTIVATED.
They’re signing in via the SSO provider — not trying to use a password.

The import shows “0 updated” but I expected changes

Updates only trigger if at least one field (name, avatar, department) differs from the directory. If everything matches, the import is a no-op.

Single sign-on — connect a directory first
Users and roles — manage imported users