The user auto-provisioning feature enables automatic synchronization of user data from Microsoft Entra ID (formerly Azure AD) to HighQ. It ensures that user updates in Microsoft Entra ID are automatically reflected in HighQ, enhancing security and efficiency.
This topic is only for
Microsoft Entra ID (formerly Azure AD) integration
. Active Directory user management and provisioning are supported by the
on-premises Active Directory connector.
Key concepts:
Microsoft Entra ID (formerly Azure AD) Authentication: Single sign-on (SSO) setup allows users to access HighQ using their own SSO / third-party federation, i.e. work email and password.
User Management in Microsoft Entra ID (formerly Azure AD): This automates user creation, activation and deactivation in HighQ based your Microsoft Entra ID.
Azure Cloud: The hosting environment for HighQ instances.
Before setting up the user auto-provisioning feature, ensure the following:
You have a HighQ instance.
Your HighQ instance is hosted on Azure Cloud.
Your HighQ instance is upgraded to use Thomson Reuters Accounts. More info
here.
Until early 2025 – existing instances that use the Appliance AD connector, cannot leverage Azure AD. Work is in progress to support migration in HighQ from AD to AAD.
End-to-end HighQ AAD user auto-provisioning setup
Part I: Professional Services prepare services provided by Thomson Reuters
HighQ Professional Services configure all required services on the Thomson Reuters side:
Run a Thomson Reuters application in your Azure account
Establish connectivity
Provide permissions
Part II: Set up your Azure AD account
II.1) Install the application
Thomson Reuters Professional Services will provide the command required to install the Thomson Reuters application in your Azure account.
Run the command to add the Thomson Reuters application to your Azure account.
II.2) Configure HighQ User Sync App
After executing the command, the HighQ User Sync App appears in 'Microsoft Entra ID' under the 'Enterprise applications' section of your tenant.
II.3) Configure Azure AD: Permissions
Navigate to Microsoft Entra ID and select
Enterprise Applications
.
Search for and select the Thomson Reuters application '
eastus2-prod-aadusersyncapp1-spn
'.
Select
Permissions
under the ‘
Security
’ section.
Click
Grant admin consent
to grant the necessary permissions:
Group.Read.All
,
GroupMember.Read.All
and
User.Read.All
A consent pop-up opens, click ‘
Accept
’ to confirm.
A message notifies you each time that the HighQ microservice communicates with your Azure instance:
Part III: Provide Tenant ID and Group IDs
Retrieve your Tenant ID and the user Group IDs to sync to HighQ from Azure AD.
Share these details with the Professional Services team
so they can configure your HighQ instance.
Professional Services will add this information to your instance, test the connection and ensure that all groups are recognised.
It is possible to check how many users would be synced per group
before
running the sync. This helps to double-check expectations are met before users are synced.
Options available during setup:
Configure reporting: configure how long reports are retained, choose 1 month, 3 months or 6 months.
Which AAD Groups to sync. You must share your AAD Group IDs with Professional Services so these can be configured for you. Groups keep the same name in HighQ as in your AAD settings.
The type of Role users have (internal/basic) for each of your AAD synced groups. Roles can also be set by your HighQ System Admin or System User Admin in the HighQ User Management section.
As of May 2025, the “basic” role has been introduced to AAD synced users. This enhancement enables users to configure new groups with the 'Basic' role, providing the ability not only to change roles but also to create and set up new groups with this role.
This can be achieved at the AAD configuration level, and once the group is created, users can switch the roles from the system admin level, provided the synchronization is completed.
Certain configuration options are only available to Professional Services, in future releases additional options will be available in HighQ System Admin.
User Management and sync
System Admins and System User Admins can access AAD-synced users in
System Admin
>
Group Admin
>
Sync with Azure AD
:
The
Azure AD user groups selected for sync
window provides the following options:
Click
Force sync now
to run an ad-hoc sync if you do not want to wait until the next automated sync (which runs every 24 hours at midnight). The system displays a notification while the sync runs. A Sync Report is generated for every sync; forced syncs are listed in ‘Sync Reports’ with the report type ‘Manual’.
Select
Sync reports
to open the report page. Each time the sync service is run, forced or automatic, a report is produced. Each report lists which groups and users were synced. Also, any errors are detailed. Click
Download
to save the report as an Excel file.
User synchronization
The user sync runs automatically every 24 hours, set to run at midnight in your time zone. Each sync produces a report, where you can review the outcome of the sync.
Only users and groups synced with AAD are always classed as internal to the HighQ instance, rather than external.
AAD Group:
a group that lives on and is managed by your Azure AD account.
AAD user:
a user that lives on and is managed by your Azure AD account.
HighQ Synced Group:
a group created on your HighQ instance as the result of a sync, based on the AAD Groups set up to sync.
HighQ Synced User:
a user created on your HighQ instance as the result of a sync, based on the AAD Groups set up to sync.
System Group (HighQ):
Only HighQ synced Groups and Users are updated during a sync, reflecting the latest set-up in HighQ and the respective AAD Groups and AAD users.
Fields that are updated for
HighQ synced Groups
:
Group Name
: updated to mirror the AAD Group Name.
HighQ Role:
this value can be
internal
or
basic
. The role mirrors the set-up for that AAD Group sync on HighQ.
Fields that are updated for
HighQ synced Users
:
First name:
supports up to 512 chars. Mirrors AAD User.First_Name.
Last name:
supports up to 512 chars. Mirrors AAD User.Last_Name.
Business Phone:
supports up to 512 chars. Mirrors AAD User.Business_Phone.
Email address:
mirrors AAD User.Email.
Job Title:
supports up to 512 chars. Mirrors AAD User.Job_Title.
MemberOf:
mirrors the AAD User.MemberOf groups for only those AAD Groups that have been selected in HighQ to sync with.
Status:
mirrors whether the user has been deactivated/removed from the AAD set-up.
Basic
users have limited permissions and cannot perform administrative tasks such as creating sites or having system admin rights. However, internal users can perform these tasks.
The role of a sync user can be changed using the specific user sync interface designed for that purpose. Clients are not permitted to change the role from the general interface, such as the Collaborate UI; they must use the dedicated sync feature interface to make such changes.
Please ensure that if you are updating roles via
API
, your API version must be v20 or higher to support the 'basic' user role functionality.
You may encounter unintended outcomes if user roles are changed (either via the Collaborate UI or API). The user making the change is responsible for the impact of any changes. If further assistance is required, please contact HighQ support.
Also, make sure that the basic user is enabled at the admin level. This setting can be found under configuration and set “
Enable basic user
” to True (the default value is set as false).
How do my AAD updates translate in HighQ after the sync service run?
Depending on the entity, field and type of update within your AAD, HighQ will interpret and update the HighQ instance Synced Groups and Users.
AAD Group was removed:
if an AAD Group is removed, then on the next sync run, each HighQ Synced Group is converted to a System Group and members of that group (if they are
only
members of that group) are switched to inactive in HighQ. These users are also unlinked from the System group.
If an AAD Group is removed, any members that belong to another HighQ Synced Group remain active. Additionally, there is no change to other (non-synced) groups where a user was manually added in HighQ.
AAD User was removed:
if an AAD User is removed, then on the next sync, the HighQ Synced User is deactivated and unlinked from the HighQ Synced Group. The user will not be able to access the HighQ instance.
The user is removed from all HighQ Groups with synced AAD, However, there is no change in other (non-synced) groups where the user was manually added in HighQ.
AAD Group changes:
Changes to AAD Groups selected to sync with HighQ is reflected in HighQ as follows:
AAD Group Name changed
: this updates the linked HighQ Synced Group name on the next sync run.
AAD Users added to the AAD Group
: HighQ Sync service validates if the users added to the synced AAD group already exist in HighQ – based on the email address in the HighQ instance Users base. If the user is not found in HighQ, then a new user is created and added as a member of the HighQ Sync group. If the user already existed in HighQ, then the user is added as a member of the HighQ Synced Group.
AAD nested Groups change
: nested AAD Groups synchronised with HighQ. This means that if an AAD Group selected for sync with HighQ has
nested AAD sub-groups, these are ignored; users in the nested subgroup are also ignored
. For example, the Sync service syncs AAD_Group_1 and all directly linked members, but ignores any AAD sub-groups (and users in the sub-groups).
First name / Last Name / Business Phone / JobTitle
: any changes made to AAD on these fields are reflected on the HighQ Synced User on the next sync.
Email
: changes on the email prefix (everything before the @), are updated for the HighQ Synced user on the next sync. Changes to the email suffix (everything after the @), are not supported via the AAD sync service. Contact Support for alternatives.
Status
: if an AAD user is disabled in AAD, the related HighQ Synced user is deactivated in HighQ. If an AAD user is activated in AAD (and is in a HighQ Synced Group), the related HighQ Synced user will be activated in HighQ.
MemberOf
: Depending on the group the user was added to in AAD, this is reflected in the HighQ synced groups.
Picture
: changes on the AAD User picture are ignored. Picture sync is not currently supported.
At HighQ level
: When an AAD group is synced and its role is changed, for example, from 'basic' to 'internal' or vice versa, the group is first renamed to include a timestamp and converted to a 'system group.' This assumes the role initially created has been removed from the microservice UI. Subsequently, a new group with the updated role is created at the system admin level.
For example, let's say we have a group named 'abtest3,' which was initially synced as 'internal.' If it is later changed to 'basic,' the system first renames the group by appending a timestamp to differentiate it from its previous state, following the naming convention ‘abtest3_1745313810193 [System group]’. Then, the group is updated to the 'basic' role, following a naming convention like 'abtest3 [Synced basic user group]’.
When a group's role is changed from 'basic' to 'internal,' the naming convention will simply be 'Group name [Synced Group].'
At Site level
: When an AAD synced group's role is changed at the system admin level, such as switching from one role type to another. During this conversion, all users linked to the initial group are unlinked, which means users lose their permissions associated with that group. As a result, these users will no longer have access to the
Site
or
Features
they were previously able to use.
Which updates on my HighQ instance might be overridden after the sync service run?
If you make certain changes within your HighQ Synced Groups and Users, these might be overridden by the AAD sync.
HighQ Sync Group was removed:
if an AAD Sync Group is deselected from the HighQ Sync Configuration, then on the next sync run the HighQ synced group converts to a system group and all members of that group are rendered inactive. However, any users that belong to
other
active HighQ Synced Groups remain active.
HighQ Sync User removed:
This action is restricted.
HighQ synced Group changes:
Change name: not allowed via HighQ.
Change status: not allowed via HighQ.
Add/remove members: not allowed via HighQ.
HighQ synced User changes:
Change status. Although System Admin or System User Admins can only archive HighQ Synced Users; this will be overridden in the next sync if an update for that user in HighQ is triggered by any changes for that user within AAD.
Anonymize HighQ Synced Users is not allowed.
Role (internal/basic): Any changes to the user role (internal or basic), will be overridden by the sync AAD group setup.
Memberships to System Groups: HighQ synced groups do not allow manually adding users within them. The users in HighQ synced groups are added/removed only via the sync service to reflect your AAD changes.
Picture: Sync service will not override the picture manually uploaded for the user within your HighQ.
Questions and answers
Q:
Is any paperwork required to use the new HighQ Azure AD User auto-provisioning?
A:
Yes. This is a brand-new offering, with a separate Sales Policy, and is invoiced separately from the AD Connector / Appliance.
Q:
Can I run both the HighQ AD Connector (Appliance)
and
the new HighQ Azure AD User auto-provisioning service on my HighQ instance?
A:
No, you cannot run the services simultaneously.
Q:
Can I migrate my Appliance/AD Connector configuration to Azure AD User auto-provisioning?
A:
Currently, this is not supported. We are working to include this feature and target release early 2025.
Q:
Can the sync run at a custom frequency on Azure AD user auto-provisioning? (for example, every 2 hours)
A:
Not in phase 1. If there is enough interest, we can add this to a future release. As an alternative to the current 24-hour sync, we offer an ad-hoc manual sync that can be run as needed by the System Admin or the System User Admin via the User Management section.
Q:
Can a sync switch a user to Archived or Inactive, as with the existing AD connector?
A:
Not in phase 1. Currently, if an AAD User is removed, then on the next sync, the HighQ Synced User will be deactivated and unlinked from the HighQ Synced Group. Note: the user will be revoked from all HighQ Synced Groups with AAD, but there will be no change in any other (non-synced) group where the user was manually added within HighQ. If there is enough interest, we can add it in a later phase.
Q:
Can I archive or anonymize a synced user?
Q:
Will the early 2025 release include Basic User syncing?
A:
Yes. With the May 2025 release, you can configure an AAD group so that the corresponding HighQ Synced Group can either be basic or internal. Users in that group will be assigned to the selected status.
Q:
Can I set the HighQ Synced Group role to ‘basic’ in System Admin > Group Management > Sync with Azure AD?
A:
Yes, with the implementation of the 'basic' role in May 2025.
Q:
Is there an upper or lower limit to the number of users I can sync to my HighQ instance with Azure AD user auto-provisioning?
A:
No, there are no overall limits. However, there is a maximum of 50,000 users per group.
Q:
Is it possible to add a user to multiple groups?
A:
Yes, you can add the same users to multiple groups. there are no limitations.
Q:
Can I have the same user in two groups (basic &internal)?
A:
Yes, but of the same type. For instance, if a user is added to two different types of groups, one configured with the "basic" role and the other with the "internal" role, the user will receive the "internal" role and will be part of only that group. This means that the user will not be associated with the "basic" group, ensuring that they receive the permissions and access associated with the higher priority "internal" role.
Q:
What if I mistakenly remove a user from a group?
A:
You can add the user to the same group and sync the user again.
Q:
Can I remove a user from one group and add them to another?
A:
Yes, you can remove a user from one group and add that user to another group.
Q:
Is it possible to update user details after syncing?
A:
Yes, you can update user details. Note: for Phase 1 we can only update the following details: Firstname, Lastname, Jobtitle, eMail (
i.e. only the prefix before the @
), Business number, Account enable/disable.
Q:
Can I disable users in Azure AD?
A:
Yes, you can disable a user in Azure and, the user will be Archived in HighQ.
Q:
What if I change the group name in AAD after the initial sync?
A:
Yes, you can change the name in AAD after sync.
Q:
Why is my mobile number not displayed in the correct format?
A:
Currently, the business phone number is consumed as-is in the request body of the HighQ API. For example, if the business phone number is 1555123456, the HighQ API works fine. However, if the number is formatted like 1-555-123456 (country code - area code - number), the HighQ API does not accept it. In such cases, the service converts the number to a format supported by the HighQ API, i.e. 1$555$123456.
Without converting, the format would be 1555123456:
By converting the number to the format allowed by the HighQ API, it becomes 1$555$123456 (future phase):