User auto-provisioning with Azure AD / Microsoft Entra ID

Setting up and using the HighQ user auto-provisioning feature with Azure Active Directory / Microsoft Entra ID.
The user auto-provisioning feature enables automatic synchronization of user data from Microsoft Entra ID (formerly Azure AD) to HighQ. It ensures that user updates in Microsoft Entra ID are automatically reflected in HighQ, enhancing security and efficiency.
Key concepts:
  • Microsoft Entra ID (formerly Azure AD) Authentication: Single sign-on (SSO) setup allows users to access HighQ using their own SSO / third-party federation, i.e. work email and password.
  • User Management in Microsoft Entra ID (formerly Azure AD): This automates user creation, activation and deactivation in HighQ based your Microsoft Entra ID.
  • Azure Cloud: The hosting environment for HighQ instances.
Prerequisites:
Before setting up the user auto-provisioning feature, ensure the following:
  1. You have a HighQ instance.
  2. Your HighQ instance is hosted on Azure Cloud.
  3. Your HighQ instance is upgraded to use Thomson Reuters Accounts. More info here.

End-to-end HighQ AAD user auto-provisioning setup

Part I: Professional Services prepare services provided by Thomson Reuters
Part II: Set up your Azure AD account
II.1) Install the application
Thomson Reuters Professional Services will provide the command required to install the Thomson Reuters application in your Azure account.
Run the command to add the Thomson Reuters application to your Azure account.
II.2) Configure HighQ User Sync App
After executing the command, the HighQ User Sync App appears in 'Microsoft Entra ID' under the 'Enterprise applications' section of your tenant.
II.3) Configure Azure AD: Permissions
Navigate to Microsoft Entra ID and select
Enterprise Applications
.
Search for and select the Thomson Reuters application '
eastus2-prod-aadusersyncapp1-spn
'.
Select
Permissions
under the ‘
Security
’ section.
Click
Grant admin consent
to grant the necessary permissions:
Group.Read.All
,
GroupMember.Read.All
and
User.Read.All
A consent pop-up opens, click ‘
Accept
’ to confirm.
A message notifies you each time that the HighQ microservice communicates with your Azure instance:
Microsoft Entra ID message shown when communicating with the HighQ instance for the linked AAD user auto-provisioning
Part III: Provide Tenant ID and Group IDs
Retrieve your Tenant ID and the user Group IDs to sync to HighQ from Azure AD.
Share these details with the Professional Services team
so they can configure your HighQ instance.
Professional Services will add this information to your instance, test the connection and ensure that all groups are recognised.
Options available during setup:
  • Configure reporting: configure how long reports are retained, choose 1 month, 3 months or 6 months.
  • Which AAD Groups to sync. You must share your AAD Group IDs with Professional Services so these can be configured for you. Groups keep the same name in HighQ as in your AAD settings. 
  • The type of Role users have (internal/basic) for each of your AAD synced groups.  Roles can also be set by your HighQ System Admin or System User Admin in the HighQ User Management section.

User Management and sync

System Admins and System User Admins can access AAD-synced users in
System Admin
>
Group Admin
>
Sync with Azure AD
:
  
Group roles including internal and basic.
The
Azure AD user groups selected for sync
window provides the following options:
  • Click
    Force sync now
    to run an ad-hoc sync if you do not want to wait until the next automated sync (which runs every 24 hours at midnight). The system displays a notification while the sync runs. A Sync Report is generated for every sync; forced syncs are listed in ‘Sync Reports’ with the report type ‘Manual’.
  • Select
    Sync reports
    to open the report page. Each time the sync service is run, forced or automatic, a report is produced. Each report lists which groups and users were synced. Also, any errors are detailed. Click
    Download
    to save the report as an Excel file.

User synchronization

The user sync runs automatically every 24 hours, set to run at midnight in your time zone. Each sync produces a report, where you can review the outcome of the sync.
Terminology
  • AAD Group:
    a group that lives on and is managed by your Azure AD account.
  • AAD user:
    a user that lives on and is managed by your Azure AD account.
  • HighQ Synced Group:
    a group created on your HighQ instance as the result of a sync, based on the AAD Groups set up to sync.
  • HighQ Synced User:
    a user created on your HighQ instance as the result of a sync, based on the AAD Groups set up to sync.
  • System Group (HighQ):
    Only HighQ synced Groups and Users are updated during a sync, reflecting the latest set-up in HighQ and the respective AAD Groups and AAD users. 
Entities and Fields
Fields that are updated for
HighQ synced Groups
:
  • Group Name
    : updated to mirror the AAD Group Name.
  • HighQ Role:
    this value can be
    internal
    or
    basic
    . The role mirrors the set-up for that AAD Group sync on HighQ.
Fields that are updated for
HighQ synced Users
:
  • First name:
    supports up to 512 chars. Mirrors AAD User.First_Name.
  • Last name:
    supports up to 512 chars. Mirrors AAD User.Last_Name.
  • Business Phone:
    supports up to 512 chars. Mirrors AAD User.Business_Phone.
  • Email address:
    mirrors AAD User.Email.
  • Job Title:
    supports up to 512 chars. Mirrors AAD User.Job_Title.
  • MemberOf:
    mirrors the AAD User.MemberOf groups for only those AAD Groups that have been selected in HighQ to sync with.
  • Status:
    mirrors whether the user has been deactivated/removed from the AAD set-up.
Key points to consider:
  • Basic
    users have limited permissions and cannot perform administrative tasks such as creating sites or having system admin rights. However, internal users can perform these tasks.
  • The role of a sync user can be changed using the specific user sync interface designed for that purpose. Clients are not permitted to change the role from the general interface, such as the Collaborate UI; they must use the dedicated sync feature interface to make such changes.
  • Please ensure that if you are updating roles via
    API
    , your API version must be v20 or higher to support the 'basic' user role functionality.
  • Also, make sure that the basic user is enabled at the admin level. This setting can be found under configuration and set “
    Enable basic user
    ” to True (the default value is set as false).
    Enable basic user option.
How do my AAD updates translate in HighQ after the sync service run?
Depending on the entity, field and type of update within your AAD, HighQ will interpret and update the HighQ instance Synced Groups and Users.
  • AAD Group was removed:
    if an AAD Group is removed, then on the next sync run, each HighQ Synced Group is converted to a System Group and members of that group (if they are
    only
    members of that group) are switched to inactive in HighQ. These users are also unlinked from the System group.
  • AAD User was removed:
    if an AAD User is removed, then on the next sync, the HighQ Synced User is deactivated and unlinked from the HighQ Synced Group. The user will not be able to access the HighQ instance.
  • AAD Group changes:
    Changes to AAD Groups selected to sync with HighQ is reflected in HighQ as follows:
    • AAD Group Name changed
      : this updates the linked HighQ Synced Group name on the next sync run.
    • AAD Users added to the AAD Group
      : HighQ Sync service validates if the users added to the synced AAD group already exist in HighQ – based on the email address in the HighQ instance Users base. If the user is not found in HighQ, then a new user is created and added as a member of the HighQ Sync group. If the user already existed in HighQ, then the user is added as a member of the HighQ Synced Group.
    • AAD nested Groups change
      : nested AAD Groups synchronised with HighQ. This means that if an AAD Group selected for sync with HighQ has
      nested AAD sub-groups, these are ignored; users in the nested subgroup are also ignored
      . For example, the Sync service syncs AAD_Group_1 and all directly linked members, but ignores any AAD sub-groups (and users in the sub-groups).
  • AAD User changes:
    • First name / Last Name / Business Phone / JobTitle
      : any changes made to AAD on these fields are reflected on the HighQ Synced User on the next sync. 
    • Email
      : changes on the email prefix (everything before the @), are updated for the HighQ Synced user on the next sync. Changes to the email suffix (everything after the @), are not supported via the AAD sync service. Contact Support for alternatives.
    • Status
      : if an AAD user is disabled in AAD, the related HighQ Synced user is deactivated in HighQ. If an AAD user is activated in AAD (and is in a HighQ Synced Group), the related HighQ Synced user will be activated in HighQ.
    • MemberOf
      : Depending on the group the user was added to in AAD, this is reflected in the HighQ synced groups.
    • Picture
      : changes on the AAD User picture are ignored. Picture sync is not currently supported.
  • AAD synced role changes:
    • At HighQ level
      : When an AAD group is synced and its role is changed, for example, from 'basic' to 'internal' or vice versa, the group is first renamed to include a timestamp and converted to a 'system group.' This assumes the role initially created has been removed from the microservice UI. Subsequently, a new group with the updated role is created at the system admin level.
      For example, let's say we have a group named 'abtest3,' which was initially synced as 'internal.' If it is later changed to 'basic,' the system first renames the group by appending a timestamp to differentiate it from its previous state, following the naming convention ‘abtest3_1745313810193 [System group]’. Then, the group is updated to the 'basic' role, following a naming convention like 'abtest3 [Synced basic user group]’.
      Groups changing after roles are changed.
    • At Site level
      : When an AAD synced group's role is changed at the system admin level, such as switching from one role type to another. During this conversion, all users linked to the initial group are unlinked, which means users lose their permissions associated with that group. As a result, these users will no longer have access to the
      Site
      or
      Features
      they were previously able to use.

Which updates on my HighQ instance might be overridden after the sync service run?

If you make certain changes within your HighQ Synced Groups and Users, these might be overridden by the AAD sync.
  • HighQ Sync Group was removed:
    if an AAD Sync Group is deselected from the HighQ Sync Configuration, then on the next sync run the HighQ synced group converts to a system group and all members of that group are rendered inactive. However, any users that belong to
    other
    active HighQ Synced Groups remain active.
  • HighQ Sync User removed:
    This action is restricted.
  • HighQ synced Group changes:
    • Change name: not allowed via HighQ.
    • Change status: not allowed via HighQ.
    • Add/remove members: not allowed via HighQ.
  • HighQ synced User changes:
    • Change status. Although System Admin or System User Admins can only archive HighQ Synced Users; this will be overridden in the next sync if an update for that user in HighQ is triggered by any changes for that user within AAD. 
    • Anonymize HighQ Synced Users is not allowed.
    • Role (internal/basic): Any changes to the user role (internal or basic), will be overridden by the sync AAD group setup.
    • Memberships to System Groups: HighQ synced groups do not allow manually adding users within them. The users in HighQ synced groups are added/removed only via the sync service to reflect your AAD changes.
    • Picture: Sync service will not override the picture manually uploaded for the user within your HighQ.

Questions and answers

Q:
Is any paperwork required to use the new HighQ Azure AD User auto-provisioning?
A:
Yes. This is a brand-new offering, with a separate Sales Policy, and is invoiced separately from the AD Connector / Appliance.
.
Q:
Can I run both the HighQ AD Connector (Appliance)
and
the new HighQ Azure AD User auto-provisioning service on my HighQ instance?
A:
No, you cannot run the services simultaneously.
.
Q:
Can I migrate my Appliance/AD Connector configuration to Azure AD User auto-provisioning?
A:
Currently, this is not supported. We are working to include this feature and target release early 2025.
.
Q:
Can the sync run at a custom frequency on Azure AD user auto-provisioning? (for example, every 2 hours)
A:
Not in phase 1. If there is enough interest, we can add this to a future release. As an alternative to the current 24-hour sync, we offer an ad-hoc manual sync that can be run as needed by the System Admin or the System User Admin via the User Management section.
.
Q:
Can a sync switch a user to Archived or Inactive, as with the existing AD connector?
A:
Not in phase 1. Currently, if an AAD User is removed, then on the next sync, the HighQ Synced User will be deactivated and unlinked from the HighQ Synced Group. Note: the user will be revoked from all HighQ Synced Groups with AAD, but there will be no change in any other (non-synced) group where the user was manually added within HighQ. If there is enough interest, we can add it in a later phase.
.
Q:
Can I archive or anonymize a synced user?
A:
No.
.
Q:
Will the early 2025 release include Basic User syncing?
A:
Yes. With the May 2025 release, you can configure an AAD group so that the corresponding HighQ Synced Group can either be basic or internal. Users in that group will be assigned to the selected status.
.
Q:
Can I set the HighQ Synced Group role to ‘basic’ in System Admin > Group Management > Sync with Azure AD?
A:
Yes, with the implementation of the 'basic' role in May 2025.
.
Q:
Is there an upper or lower limit to the number of users I can sync to my HighQ instance with Azure AD user auto-provisioning?
A:
No, there are no overall limits. However, there is a maximum of 50,000 users per group.
.
Q:
Is it possible to add a user to multiple groups?
A:
Yes, you can add the same users to multiple groups. there are no limitations.
.
Q:
Can I have the same user in two groups (basic &internal)?
A:
Yes, but of the same type. For instance, if a user is added to two different types of groups, one configured with the "basic" role and the other with the "internal" role, the user will receive the "internal" role and will be part of only that group. This means that the user will not be associated with the "basic" group, ensuring that they receive the permissions and access associated with the higher priority "internal" role.
.
Q:
What if I mistakenly remove a user from a group?
A:
You can add the user to the same group and sync the user again.
.
Q:
Can I remove a user from one group and add them to another?
A:
Yes, you can remove a user from one group and add that user to another group.
.
Q:
Is it possible to update user details after syncing?
A:
Yes, you can update user details. Note: for Phase 1 we can only update the following details: Firstname, Lastname, Jobtitle, eMail (
i.e. only the prefix before the @
), Business number, Account enable/disable.
.
Q:
Can I disable users in Azure AD?
A:
Yes, you can disable a user in Azure and, the user will be Archived in HighQ.
.
Q:
What if I change the group name in AAD after the initial sync?
A:
Yes, you can change the name in AAD after sync.
.
Q:
Why is my mobile number not displayed in the correct format?
A:
Currently, the business phone number is consumed as-is in the request body of the HighQ API. For example, if the business phone number is 1555123456, the HighQ API works fine. However, if the number is formatted like 1-555-123456 (country code - area code - number), the HighQ API does not accept it. In such cases, the service converts the number to a format supported by the HighQ API, i.e. 1$555$123456.
Without converting, the format would be 1555123456:
By converting the number to the format allowed by the HighQ API, it becomes 1$555$123456 (future phase):

Related content