User Provisioning and Client Rollout Tips: Can I sync all users at once?

Userlevel 3
Badge +13
  • Netskope Employee
  • 8 replies

 Context: What's the user provisioning?

  • User provisioning using IDP such as Azure AD or Okta using SCIM protocol or provisioning users directly from your on-prem Domain Controller using Netskope Adapter (aka AD Importer).
  • User provisioning is a one way push of users and groups to Netskope tenant.
  • IDP or your Domain Controller is always the source of truth for Netskope (except for the users manually added).
  • On Okta and Azure AD Netskope has a gallery app titled "Netskope User Authentication"
  • When users are manually added you can not add them to a group.


Can I sync all users at once?

The answer to the question in the subject is "yes" you can sync all users dynamically (or using dynamic groups) but here are some considerations:


  • Do you want to control Netskope Client rollout group by group or department by department?

If the answer is yes it may be a better idea to assign few groups at a time to the gallery or custom app on your IDP.  This will make your life with client rollout easier. Remember: As soon as client sees a valid user present in the tenant and matches it against who is logged into the system it will start steering the traffic. Rollout client pilot by pilot and then prod roll out department by department if it's easier.


  • Do you have any duplicates (for emails / usernames) or empty groups? (Netskope client cares about the User Principal Name AD attribute aka UPN to authenticate and authorize the user that is logged into a host).
  • Duplicate users or users with primary email address blank and in general such errors will cause the IDP to skip the users. Trying to resolve errors for your 100K user db may not be worth it. If you have all the critical groups synced you are done!
  • Imagine side effect of having pages and pages of groups to scroll through trying to identify the right group you are looking for to add to a policy.
  • Netskope console will display 100 groups per page. Imagine scrolling through 100's of pages and sipping through groups that are not needed.
  • More efficient policy creation


In summary having just the right groups in the tenant will be most effective w.r.t. following configuration elements: steering and exception definitions, client config definitions, SSL DND policies and Real Time / API protection policies.


Some other key pointers related to user provisioning.

  • Do you have nested groups? Nested groups are not supported by most IDP's. Don't use nested groups even if Netskope Adapter can support it. Nested groups will make troubleshooting and operations complex.
  • If the errors in provisioning are more than certain percentage your IDP may quarantine your SCIM app.
  • You can have one user in multiple groups but for the steering purpose you want to keep your pilots as distinct as possible. This will also avoid having a user multiple levels of access (e.g. web categories) when not needed.

0 replies

Be the first to reply!