[Bug]: Enabling (EntraID) directory synchronization empties all Defguard groups

[jensver]

Summary

After enabling (EntraID) directory synchronization all Defguard groups, including the admin group, is emptied.
Don't know if that how it should work, but it was unexpected.

Steps to reproduce

Enable (EntraID) directory synchronization with these parameters:

Expected behavior

Keep users in existing groups.

Actual behavior

Removes all users from all groups.
Even the users that are not in the 'Sync only matching groups' EntraID group.

Defguard version

2.0.0-beta1

Environment details

Debian + Docker

Deployment / install method

Docker / Docker Compose

Relevant logs / output

Relevant configuration (redacted)

[t-aleksander]

Hello,
The integration will remove all groups from Defguard users if those groups are not assigned in Entra. In other words: Entra becomes the source of truth after enabling the synchronization. So if you didn't have those groups assigned in Entra this is expected.

The "sync only matching groups" only limits the group memberships that are seen by the integration, it doesn't limit which users are being synchronized (https://docs.defguard.net/features/external-openid-providers/microsoft#synchronizing-only-selected-memberships). This will be phrased differently in the upcoming release to reduce this ambiguity.

[kchudy]

Closing this issue as resolved.

If anything comes up again, feel free to reopen.