Sync users periodically from Microsoft Entra ID (Azure AD) to ServiceDesk Plus Cloud. You can import users based on criteria and custom-map Azure fields with ServiceDesk Plus fields to suit your requirements.
ServiceDesk Plus Cloud just reads user information from Azure via API and does not modify data in Azure.
Role Required: SDAdmin
While mapping fields or configuring the criteria for user import, you can sync complete user information (besides basic details) from Microsoft Entra ID (Azure AD) to ServiceDesk Plus Cloud if any of the following integrations is enabled:
Microsoft Azure, enabled by Microsoft Azure global administrator.
Microsoft Entra ID (Azure AD) User Sync, enabled by a Microsoft Azure user after obtaining consent from Microsoft Azure global administrator to authorize ServiceDesk Plus in Microsoft Azure. In this case, the user does not require the global administrator privileges.
The document will help you understand the following topics:
The workflow and configurations described below are required only when the authorizing user is not a Global Administrator or Privileged Administrator. In all other cases, authorization proceeds without any additional configuration.

If this error occurs for non-admin users, follow the steps below to complete the Microsoft Entra ID (Azure AD) authorization workflow.
Step 1: Grant Admin Consent for ServiceDesk Plus (Cloud)
Sign in to the Microsoft Entra admin center as a Global Administrator.
Go to Enterprise applications.
From the left pane, under Manage, select All applications.
Search for the application by name, ServiceDesk Plus (Cloud), and select it.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy84NjYvMjUxNC9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS91bmtub3duKDI2KS5wbmciLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE3ODM0ODQzNjJ9fX1dfQ__&Signature=BqzepJNKMuzAVGinY~EiEHp6dLk-RPT7YFW1q1YNZvLvpzy8RxRpShphFGpGQfwntPPUh-srPNex8slWgLdTUSTEYATux~MkjO8dzD81lJ8QgRl57NHPErzGOTxHguEMJFvCU1XxWO7iY3OpKDs2U~gpkuzCINN8Yw5br1ClEqxkzg7t-VoYzd2LVMch0H-c1KU0YPQ4rfdAf~Y-cQw5YI4dbQ111i6SOeCeLSt2e6hzj3CPwxgXZKYcCaeg4LgtmjBngjXum7sJiWltaUno4RS3sEMAwADJIm9iMQtcL~ob7JgtPyU7WtUZEiX5MW4RpIStxWMA0E-iEvYFwfsQMA__&Key-Pair-Id=K2TK3EG287XSFC)
In the left pane, under Security, click Permissions.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy84NjYvMjUxNC9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS91bmtub3duKDI3KS5wbmciLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE3ODM0ODQzNjJ9fX1dfQ__&Signature=JbbbWLzWusEI6s7dTUvDK-BGCU82NI~PebsengnSXNpAEONNIvZSvHWTCrWdxPfZkHfDJgnKUH7t7S8le6RxII1GEIsU8zPYglyyclIkOS7jqbRKTDxCIk5LNny6g66cR4~0jGkvaiPC3l~9WpY78e0WaxuwKRf9vAPaTHI~MuCruU2TC5bwh2lWbfTMQ3yt0JasbFkiRlRWgaGF5rL8b8VUoBXbg8hGUkcZPeL0nYo1cZUZ9b8i9d9vnxhoJdJVg~3USxcEPRbcNgTsS-BvaO6udMdYwxsgiW0NPEP-Q9q1bnBjuBoqd6oGDVvJc8cUa6hUsGC~74ZJr1kMFAwK8Q__&Key-Pair-Id=K2TK3EG287XSFC)
Under the Permissions section, select Grant admin consent for ServiceDesk Plus. This will redirect you to the Microsoft authorization page, where you must complete the authorization process.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy84NjYvMjUxNC9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS91bmtub3duKDI4KS5wbmciLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE3ODM0ODQzNjJ9fX1dfQ__&Signature=PQWiVmqlA~XUZ0mlWNhCEwSTRjucupTMjOyc8zKjajqgp0vBjOZV74iWZqKEuC66xBCpkBrEleW9QgKhs3haT39EwCh6ovHXcQYPZw1UDQ2utoaBmD56cdkG9h9PBp-EEgsV7cB9zlihlN78QyfUepg0Ubgre2L0C9240~YrxaXETP~Cw8mVEmF5vYdXeey2BEFzak5tzvSA4S3G5OMQ~N8tVgxUGxM7Fq8sgC1XgOjsrLrEZnVJ8g5tRoUpOMvdVjlPEVXGq81tAle8xD4r5mIoBcLsY01D2V2L1MLXlK-Xpy2i8Ei5sTWziuK~EnRWMe3TexSn6t4LgBMzmsHI4Q__&Key-Pair-Id=K2TK3EG287XSFC)
Step 2: Enable the Admin Consent Workflow
Sign in to the Microsoft Entra admin center as a Global Administrator.
Go to Enterprise applications > Consent and permissions > Admin consent settings.
Under Admin consent requests, select Yes for Users can request admin consent to apps they are unable to consent to.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy84NjYvMjUxNC9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNS91bmtub3duKDI5KS5wbmciLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE3ODM0ODQzNjJ9fX1dfQ__&Signature=qK6dVN2zppu0jLjTFqCK6qj5IC3UAwe70ymTL8ipBHxeyOwXAdCzd1kz~P-mkssH7u~ICXe0adZzD05~IFGKYl2wPh5ChRx~rDKex87MHYbx2FRke6dRpuMx9ekRVidlpn~AdOVq6xXQZD82K6S-4KBzvdCBgBzJaKDcTG1-gysWO9cf5X4i3xJUixvNSfZec5mbAW3zi8eTehJGy0qNsb2srDGVH-x9v-DRGbOK3RVGBYpIWkbFnJen4D6RH-BezHpxxVOam9bIt-N~733a3FUh9I8tDban2SoRZXO5xdXJDfVPf597v08fmNpBoRaPKNo5enW~8GNGy7d9~mYvSA__&Key-Pair-Id=K2TK3EG287XSFC)
Configure the following settings:
Who can review admin consent requests - Select users, groups, or roles who can review admin consent requests.
Note:
Global Administrators or Privileged Administrators can approve requests for apps needing application permissions.
Reviewers can view, block, or deny requests and see incoming requests on the My Pending tab.
New reviewers cannot act on existing or expired requests.
Selected users will receive email notifications for requests - Enable or disable email notifications to reviewers when a request is made.
Selected users will receive request expiration reminders - Enable or disable reminder emails to reviewers before a request expires.
Consent request expires after (days) - Specify how many days a consent request stays valid.
Click Save.

To request consent in Microsoft Entra ID (User AD)
Start enabling the integration in your application or service.
If you lack permission, Microsoft Entra ID (Azure AD) will prompt you with a message requesting admin approval.
Click Request approval in the prompt.
Sign in to the Azure Portal.
Go to Microsoft Entra ID (Azure AD).
Under Manage, click Enterprise applications.
In the left pane, under Activity, select Admin consent requests.
My Pending tab: You will see pending consent requests that users have raised.
Click on the request you want to review.

Click Review permissions and consent.
To view the application details, select the App details tab.
To see who is requesting access and why, select the Requested by tab.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy84NjYvMjUxNC9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNi9pbWFnZSgyNCkucG5nIiwiQ29uZGl0aW9uIjp7IkRhdGVMZXNzVGhhbiI6eyJBV1M6RXBvY2hUaW1lIjoxNzgzNDg0MzYyfX19XX0_&Signature=lb-xJDWfn7mmIQ-E6q-pXqQlKQOz1-Jpdu6WgZwebFU5y43lCm16DxX99pbR7w2nX1OYqY9wZvRLtnADlTyjQSXcrHqhMfxmic~YYhVjWTmmKLKlevz4rx~nw~~deSoOGsk8feZHBna2qTkuBOu0doSFBcXjW-43MfjHT89GMazg0UMTv61ZMx8voMK8gbMbRvnH4qw3RILWiXbVdR6Z3AIvxJ3sI9TrfPBc0ACWXUN7AS9cT~PxYGf46c6VJBGNz5f1viqUvYoGj1o7wNqfsmDzmUvArNUktGriI6~Qf4hZ4oQxBbumbnhczwdssA9y-8EY-fkXpCn8wJYxr7IZKw__&Key-Pair-Id=K2TK3EG287XSFC)
Evaluate the request and choose Approve or Deny or Block. Learn more.
Go to Setup > Apps & Add-ons > Integrations > Third Party Integrations.
On the Microsoft Entra ID (Azure AD) User Sync card, toggle the integration ON.
Click Agree.
.png?Policy=eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kemY4dnF2MjRlcWhnLmNsb3VkZnJvbnQubmV0L3VzZXJmaWxlcy84NjYvMjUxNC9ja2ZpbmRlci9pbWFnZXMvcXUvMjAyNi91bmtub3duKDEwKS5wbmciLCJDb25kaXRpb24iOnsiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjE3ODM0ODQzNjJ9fX1dfQ__&Signature=rbgDBtE3U-7ZfAvAiefESAARw-~5-eKmMXMGM6ma~3ac6nlEZ6EO96AiXM0zjVjHeSm4ARUphoUZwYEAXVXhTLLUJ2pTN26sL4SqzQoUah1UR7f1thJYX5XIfnwN5yfbhOLZVfqDdvpENd~y~KmEFljPfRNfPIHAMM0ccycrVM8e62km8JrPIIIsU0exP9QKMtAg1ZZMv8QMNBYzFRCBcNF~ABAjND0C4nEHdN8DzTvwFBcgBSeFotOCi-thWymRiZ5o9R6fE0lvAQaKpPveQZpIJNr0uqYFVvqednnYCgs-SolyVYIeh1SsbNUKkRdVrCgH8ID9LAy6vCLwZNzgFw__&Key-Pair-Id=K2TK3EG287XSFC)
You will be directed to the Microsoft authorization page to verify user identity if Microsoft Single Sign on is not configured.

Sign in to your Microsoft account and complete the authorization process. This is a one-time process.
After the integration is enabled, details of a minimum of 200 users will be updated to ServiceDesk Plus every 2 minutes.
Click Configure on the Microsoft Entra ID (Azure AD) User Sync card to schedule the sync or to choose how the user information must reflect in ServiceDesk Plus when deleted in Microsoft Entra ID (Azure AD). You can import users based on criteria from Microsoft Entra ID (Azure AD). You can also custom map Microsoft Entra ID (Azure AD) fields with ServiceDesk Plus fields as per requirement.
Set a sync frequency. You can set it between 1 to 7 days.
When users are deleted in Microsoft Entra ID (Azure AD), you can modify user profiles in ServiceDesk Plus Cloud as follows: Revoke login, Remove user, and Do nothing.
When users are moved to trash in Microsoft Entra ID (Azure AD), you can modify the user in ServiceDesk Plus as follows: Revoke login, Remove user, and Do nothing.
Select what happens to the manually deleted users during the next sync cycle. You can either ignore the deleted users or re-sync them using appropriate options.
Choose whether to sync the user profile picture from Microsoft Entra ID (Azure AD) to ServiceDesk Plus.
Set the login status for users added via Microsoft Entra ID (Azure AD): Follow login status from Azure, Enable Login, or Disable Login.
Set the login status for users updated via Microsoft Entra ID (Azure AD): Follow login status from Azure or Do nothing.
Choose which fields from Microsoft Entra ID (Azure AD) should be mapped to the respective ServiceDesk Plus fields.
By default, i.e, without enabling Microsoft Entra ID (Azure AD) integration, Name, Email, First name, Last name, User Principal name fields can be mapped. After enabling the integration, the following fields will be available for mapping.
By default the following fields will be available for mapping:
|
Microsoft Entra ID (Azure AD) Fields |
ServiceDesk Plus Cloud Fields |
|
|
If Microsoft Entra ID (Azure) integration is enabled, you can map the following details from Microsoft Entra ID (Azure AD) to ServiceDesk Plus:
|
Microsoft Entra ID (Azure AD) Fields |
ServiceDesk Plus Cloud Fields |
|
|
Additionally, AD Login Name field is available which is populated using On-premises SAM Account Name, On-premises Domain Name and On-premises User Principal Name field details.
Select and map the respective fields as shown below. An Azure field can be mapped with only one ServiceDesk Plus field.

Field Mapping supports both user and technician additional fields (character-based).
You can import users based on criteria or you can import all users without any criteria.
If you want to import users based on criteria, select Based on Criteria and add conditions. For example, you can set a criterion to import users only from a particular Site by choosing the Site column, setting the operator value as is and by entering the Site name.
If you want to import users without any criteria, select Without Criteria. This option will import all users from Microsoft Entra ID (Azure AD).

Microsoft Entra ID (Azure AD) Fields available for configuring criteria:
Domain
First Name
Last Name
Name
Usage Location
User Principle Name
Users with Azure Login
If Microsoft Entra ID (Azure) integration is enabled, the following fields will be available for configuring criteria:
User Type
Department
Office
Job title
Employee ID
Mobile Phone
Business Phone
Reporting To
City
Company Name
Street Address
State or Province
ZIP or Postal Code
Country or Region
Alternate Email
Groups
Cost Center
Division
Fax Number
On-premises Sync Enabled
On-premises Distinguished Name
On-premises Domain Name
On-premises Immutable Id
On-premises Last Sync Date Time
On-premises SAM Account Name
On-premises Security Identifier
Once you have configured everything, click Save to save the configurations or Save and Sync to initiate sync.

You can also start the sync using the Start Sync button on the Microsoft Entra ID (Azure AD) User Sync integration card.

After the initial sync, administrators can initiate a complete resync of all data from Microsoft Entra ID (Azure AD) to ServiceDesk Plus Cloud. This option can be used especially when the integration configurations were modified after users were imported to ServiceDesk Plus Cloud.
On the Microsoft Entra ID (Azure AD) User Sync card, click Configure.
Select Resync to apply changes to the old data option.
Click Save.
|
Users in Microsoft Entra ID (Azure AD) |
Number of Resync Allowed |
|
Less than 10,000 users |
2 resync every 24 hours (the time will be tracked for each resync individually) |
|
More than 10,000 users |
1 resync every 24 hours |

The option to resync data is available only for Enterprise edition of ServiceDesk Plus Cloud.
Under Setup > Apps & Add-ons > Third Party Integrations, disable Microsoft Entra ID (Azure AD) User Sync by switching the toggle button.
Click Disable on the confirmation pop-up.
All users imported into ServiceDesk Plus from Microsoft Entra ID (Azure AD) will be retained even after the scheduler is disabled.
Get a report on all actions taken on each user synced from Active Directory (AD), including additions, updates, deletions, and any modifications to user data with Microsoft Entra ID (Azure AD) User Sync Reports. To get the report, select the Enable Microsoft Entra ID (Azure AD) User Sync Reports checkbox under Integrations > Microsoft Entra ID (Azure AD) User Sync > Configure > Sync Reports.

Once enabled, the reports will be available to download on the Microsoft Entra ID (Azure AD) User Sync card under Integrations.

A maximum of 10 reports, each up to 10 MB in size, will be stored. Once this limit is reached, the oldest report will be automatically deleted to accommodate storage for new reports.
If the administrator who configured Microsoft Entra ID (Azure AD) User Sync integration leaves the organization, the user who revokes the administrator/global admin privileges for the former user will added as the integration owner. The new integration owner's token will be used to validate the integration.
Users in unverified domains will be added as non-login users in ServiceDesk Plus Cloud.
Login users will be added only if the Account Enabled field is selected in Microsoft Entra ID (Azure AD).
If the Account Enabled field is enabled after adding users to ServiceDesk Plus Cloud, login permissions will be provided to users following the next scan.
If the Account Enabled field is disabled after adding users to ServiceDesk Plus Cloud, login permissions provided previously will not be removed for users. However, users added subsequently will not have login permissions.
