Understand Full and Incremental Sync
You can synchronize users and groups from selected organizational units (OUs) in Microsoft Active Directory (AD) into Oracle Identity Cloud Service. You can perform either an incremental sync or a full sync. Learn about syncing new OUs and read some example use cases.
Syncing New Organizational Units
Before 20.1.3, OU sync was triggered by the Bridge every minute so that newly added OUs in Active Directory were automatically available in Oracle Identity Cloud Service. Starting with the 20.1.3 release, when you add a new organizational unit (OU) in Active Directory, you must perform an incremental or full sync to see the newly created OU in Oracle Identity Cloud Service. Oracle recommends that you to run an incremental sync when adding new OUs.
Use Case: Unlink Users from Microsoft Active Directory (AD)
When you perform a full sync on users from organizational units (OUs), all users in the selected OUs are synchronized in Oracle Identity Cloud Service. The next time you apply a filter to synchronize a specific OU, you perform an incremental sync and the users in that OU are resynchronized in Oracle Identity Cloud Service.
The synchronized users who were not part of the filter will be unlinked from Microsoft Active Directory (AD). The unlinked users can no longer authenticate using delegated authentication because their link to AD is removed and their authentication falls back to Oracle Identity Cloud Service. Any new updates to these users won't be synced to Oracle Identity Cloud Service. You can use Oracle Identity Cloud Service to reset the passwords for these users. When you request a password change for the users, Oracle Identity Cloud Service sends a Password Reset notification to them so that they can provide their new passwords. See Reset Passwords for User Accounts.
If you remove the filter and synchronize these users again using full sync, then all of the users who were unlinked earlier will now be linked, and their authentication will fall back to AD.
Consider Human Resource and Marketing OUs with five users each. You are using full sync to sync them from AD to Oracle Identity Cloud Service. All of the users are synced in Oracle Identity Cloud Service.
If you want the Marketing users alone in Oracle Identity Cloud Service, then you can perform an incremental sync along with a filter to resync the Marketing users into Oracle Identity Cloud Service. All of the users who are part of the Human Resource OU are unlinked because they're not part of the filter that's used to resync users. The number of unlinked users appears in the UI.
Description of the illustration use-case_sync-users-oracle-identity-cloud-service-using-demand-full-sync.png
Use Case: Delete Users and Groups from Microsoft Active Directory (AD)
Microsoft Active Directory (AD) is an authoritative source. Users that are deleted from AD are unlinked and deactivated in Oracle Identity Cloud Service. You can then remove these users from Oracle Identity Cloud Service.
When groups are deleted from AD, upon a full or incremental sync, these groups are also removed from Oracle Identity Cloud Service.
Use Case: Reattach an Unlinked User in Oracle Identity Cloud Service
Consider you want to create previously unlinked users in Microsoft Active Directory (AD) with the same usernames. When you next perform a full or an incremental sync, these users in AD are reattached to the associated users in Oracle Identity Cloud Service.
The reattached user’s authentication will be delegated to AD if delegated authentication is activated in Oracle Identity Cloud Service. For example, a user is synced from multiple AD domains into Oracle Identity Cloud Service. All of these domains are authoritative because AD is an authoritative source. If you delete a user from one of the domains, then the user is unlinked in Oracle Identity Cloud Service. If you resync the user to a different AD domain, then this domain now becomes authoritative for the user.