Skip to main content
Documentation

Troubleshooting Entra ID Issues

If you encounter issues with SSO login with Entra ID, review the following steps for a resolution. You can also check the History Logs and SCIM Logs for details related to authentication and provisioning activity. If LDAP provisioning is configured, provisioning activity is available in External Logs.

Username Changed in Entra ID

When a username changes in Entra ID, Files.com does not update the associated account automatically. A Site Administrator can update the account in Files.com manually. Alternatively, use Entra ID's on-demand provisioning to re-provision the user with the updated username.

When updating a username, also update the email address to match to prevent duplicate user accounts from being created.

Duplicate User Accounts

Duplicate accounts appear when user.mail in Entra ID does not match the user's Files.com username. By default, SCIM sets the Files.com username to the User Principal Name. When user.mail holds a different value, Entra ID includes it in the login response and Files.com looks for an account whose username matches that email address.

When no account matches, Files.com provisions a new account and the original SCIM-provisioned account becomes unreachable through SSO. When user.mail is blank, Entra ID does not send an email address and Files.com falls back to the User Principal Name, so login works correctly.

To avoid this, either leave user.mail blank or ensure its value matches the User Principal Name for every user in Entra ID.

To fix this when duplicate accounts already exist, update user.mail in Entra ID to match the User Principal Name for the affected users, confirm they can sign in to their correct account, then delete the duplicate accounts in Files.com. Update user.mail before deleting duplicates. If you delete a duplicate first, the next login creates a new one.

When SCIM deprovisions a user, it only deactivates the account it originally created. The duplicate account remains active and must be deleted manually in Files.com.

Users and Groups Assignment in Entra ID

If users encounter authentication errors such as The signed in user is not assigned to a role for this application or The application is not assigned to this user during SSO login to Files.com, go to the enterprise application you created in Entra ID and check the Assignment required? setting under Properties. By default, this is set to Yes, meaning only assigned users or groups can access the Files.com application.

In this case, authentication may succeed but authorization fails when the user is not assigned to the application. To resolve the issue, go to the Users and Groups section of the enterprise application and assign the required users or groups. Microsoft Entra ID does not support nested groups for this assignment. Users must be part of direct groups or added individually. When Assignment required? is set to No, all users in your directory can attempt login, which may allow broader access than intended.

Missing Groups or Group Memberships with SCIM Provisioning

Entra ID SCIM provisioningExternal LinkThis link leads to an external website and will open in a new tab runs as two separate operations, the User sync and the Group sync. After the initial provisioning cycle where both run in full, Entra switches to a delta-based syncExternal LinkThis link leads to an external website and will open in a new tab where only recently modified users or groups are included in future syncs. This is what causes missing groups and memberships.

Missing Group Memberships

A newly provisioned user may not be added to all of their assigned groups if those groups have not been modified recently. Entra skips unchanged objects after the initial sync, so user-to-group relationships can be missed.

Missing Groups

A group may not appear in Files.com and may also be absent from Entra provisioning logs, meaning Entra never attempted to send it. This happens when the group type is unsupported, such as Microsoft 365 groups or mail-enabled distribution lists, when the group falls outside the provisioning scope, or when it contains invalid metadata.

Resolving Missing Data

Files.com creates or updates any valid group and membership data it receives. When data is missing, Entra did not send it. If a group was previously deleted from Files.com and Entra sends it again in a future sync, Files.com recreates it. To trigger reprocessing, modify the group or user in Entra, use the Provision on demandExternal LinkThis link leads to an external website and will open in a new tab feature, or apply changes through the Microsoft Graph API. Entra has no built-in way to force a full re-evaluation of all users and groups without restarting the provisioning job or manually modifying objects. For known limitations related to SCIM provisioning behavior, see the Microsoft Entra documentationExternal LinkThis link leads to an external website and will open in a new tab.

These issues are specific to SCIM provisioning. If consistent group membership sync is critical for your environment, use LDAP provisioning instead. LDAP provisioning reads group membership directly from your LDAP directory on a scheduled basis, independent of Entra's delta-sync behavior.