Quick Answer
Microsoft Entra ID Sync Failures occur when configuration or group issues prevent a sync from running, causing the process to stop and notify the administrator instead of continuing with incomplete or misleading results.
Overview
Microsoft Entra ID sync failures occur when the platform detects issues that prevent a reliable sync from completing. Instead of proceeding with partial or incorrect results, the system stops processing and alerts the administrator.
These failures are typically related to configuration setup, expired credentials, or group configuration issues. Administrators encounter these during Sync Overview or Sync Now workflows in the Admin Portal.
Key Concepts
Sync Failure
A sync failure occurs when the platform detects a blocking issue during a sync process. When this happens, the sync does not proceed, and the administrator is notified so the issue can be resolved before retrying.
Configuration/Settings Issue
A configuration issue refers to a problem with how Microsoft Entra ID has been set up in the platform. This can include missing settings, incorrect values, or expired credentials that prevent the integration from functioning.
Group Configuration
Group configuration defines which Entra ID groups are used for synchronization. If groups are missing, invalid, or misconfigured, the platform cannot determine which users should be included in the sync.
Client Secret
The client secret is a credential used to authenticate the integration with Microsoft Entra ID. If the client secret expires or is invalid, the platform cannot access directory data.
Failure Notification
A failure notification is an alert shown in-platform (and optionally via email) when a sync cannot proceed. It provides visibility into the issue so the administrator can take corrective action.
How it Works
During setup, an administrator grants Microsoft Graph permissions to Pinnacle Series using admin consent. This allows the platform to read user and group data from Microsoft Entra ID.
Once granted, the integration can:
- Retrieve users from the directory
- Retrieve group membership information
- Support Sync Overview and Sync Now workflows
The integration reads this data to determine which users and groups are available for synchronization. It does not create, modify, or delete users in Microsoft Entra ID.
Because the permissions apply at the tenant level, the integration has visibility across the directory, even if only specific groups are selected for sync within the platform.
Limits and Constraints
- The integration requires Microsoft Graph application permissions. Required permissions include:
- User.Read.All
- GroupMember.Read.All
Permissions are granted at the tenant level and cannot be scoped to a single group. Admin consent is required before the integration can be used. The integration provides read-only access to directory data. Some enterprise security teams may reject tenant-wide permissions based on internal IAM or least-privilege policies.
Common Questions
Why does the integration require Microsoft Graph permissions?
The integration needs to read user and group data from Microsoft Entra ID so administrators can configure and run synchronization processes.
Can these permissions be limited to a specific group?
No. The required Microsoft Graph permissions are granted at the tenant level and cannot be scoped to a single group.
Does this integration modify data in Microsoft Entra ID?
No. The integration uses read-only access to retrieve user and group information and does not create, update, or delete directory objects.
Why might a security team reject these permissions?
Some organizations require tightly scoped access based on least-privilege principles. Tenant-wide permissions may be flagged during security reviews, even when access is read-only.
What happens if the client secret expires?
If the client secret expires, the platform can no longer authenticate with Microsoft Entra ID. As a result, sync processes will fail and will not proceed until a new client secret is configured.
How do I know if my client secret has expired?
If the client secret is expired or invalid, the sync process will fail and trigger a notification. This is typically accompanied by an error indicating that authentication with Microsoft Entra ID could not be completed.
Where do I update the client secret?
The client secret must be updated in the Microsoft Entra ID integration settings within the Admin Portal. You will need to generate a new client secret in Microsoft Entra ID and replace the existing value.
Do I need to reconfigure the entire integration if the client secret expires?
No. You only need to generate a new client secret in Microsoft Entra ID and update it in the platform. Once updated, sync processes can resume normally.
How often does the client secret expire?
Client secret expiry is controlled by Microsoft Entra ID and depends on the duration selected when the secret is created. Administrators should monitor expiry dates and renew the secret before it expires to avoid disruption.
Still Need Help