Additional configuration
Review the following section to learn the additional configuration options available for the Entra ID connectivity package.
Delta configuration
The Microsoft Graph API provides a way to efficiently track changes in data over time. Instead of retrieving the entire dataset repeatedly, deltas allow you to fetch only the changes that have occurred since your last synchronization. This reduces bandwidth usage and processing time, making it ideal for scenarios where real-time updates are required.
Omada doesn't utilize deltas by default due to the limitations in the Graph API. These limitations pertain to the lack of support for certain filtering and/or expand parameters.
To use the delta import in the Entra ID connectivity, perform the following steps to configure the queries and mappings:
- Go to Setup --> All Systems. Select the system based on Entra ID.
- Go to Queries and mappings. Select the object type and click Edit.
- In the General tab, in the Use delta section, select the Yes radio button.
- In the Delta URL field, enter
@odata.nextLink1. Click OK.
On-premises synced objects
Groups and group memberships originating from the on-premises Active Directory (AD) cannot be managed using Microsoft Entra ID. Neither the Microsoft Azure Portal nor the Microsoft Graph API supports this functionality. The Microsoft Entra ID connectivity package excludes these groups from imports by default, as they are already imported and managed by the AD system.
You can configure the system to import ALL groups regardless of whether they are synchronized or not. Perform the following steps if you choose to import all groups regardless of the synchronization status.
The onPremisesSyncEnabled attribute is not directly related to the creation or management of Microsoft Teams groups.
Queries and mappings with the on-premises synced objects
By default, all queries and mappings configurations are set to exclude synchronized groups. To include synchronized groups, remove the onPremisesSyncEnabled eq null and part from each URL.
| Object type | Old URL | New URL |
|---|---|---|
| Resource (security groups) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true&$select=id,displayName,description,mailNickname | groups?$filter=mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true&$select=id,displayName,description,mailNickname,onPremisesSyncEnabled |
| Resource assignment (security groups assignments – members) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true |
| Resource assignment (security groups assignments – owners) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true |
| Resources owners (security groups) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true |
| Resources (distribution groups) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true&$select=id,displayName | groups?$filter=mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true&$select=id,displayName,onPremisesSyncEnabled |
| Resource assignment (distribution group assignments – members) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true |
| Resource assignment (distribution group assignments – owners) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true |
| Resource owners (distribution groups) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true |
| Resource (mail-enabled security group) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true&$select=id,displayName,description,mailNickname | groups?$filter=mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true&$select=id,displayName,description,mailNickname,onPremisesSyncEnabled |
| Resource assignment (mail-enabled security group assignments – members) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true |
| Resource assignment (mail-enabled security group assignments – owners) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true |
| Resource owner (mail-enabled security group) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true |
| Resource (Sharepoint sites) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true | groups?$filter=mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true&$select=id,displayName,description,mailNickname,onPremisesSyncEnabled |
| Resource assignment (Sharepoint groups assignments – members) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true | groups?$filter=mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true |
| Resource assignment (Sharepoint groups assignments – owners) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true | groups?$filter=mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true |
| Resource owner (Sharepoint) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true | groups?$filter=mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true |
Once you remove the onPremisesSyncEnabled attribute from the queries, add an extension attribute to the following resources. This extension attribute provides information for the skip provisioning field in the resource within Omada. If a resource is marked as true, tasks will not be triggered when a user is added to the groups configured to skip provisioning.
| Object type | New extension attribute | Expression |
|---|---|---|
| Resource (distribution group) | Skip? | onPremisesSyncEnabled == null string.IsNullOrEmpty(onPremisesSyncEnabled.ToString()) !bool.Parse(onPremisesSyncEnabled.ToString()) ? "false" : "true" |
| Resource (security group) | Skip? | onPremisesSyncEnabled == null string.IsNullOrEmpty(onPremisesSyncEnabled.ToString()) !bool.Parse(onPremisesSyncEnabled.ToString()) ? "false" : "true" |
| Resource (mail-enabled security group) | Skip? | onPremisesSyncEnabled == null string.IsNullOrEmpty(onPremisesSyncEnabled.ToString()) !bool.Parse(onPremisesSyncEnabled.ToString()) ? "false" : "true" |
| Resource (Sharepoint sites) | Skip? | PARENT_onPremisesSyncEnabled == null string.IsNullOrEmpty(PARENT_onPremisesSyncEnabled.ToString()) !bool.Parse(PARENT_onPremisesSyncEnabled.ToString()) ? "false" : "true" |
After creating the new extension attribute for each resource, configure Omada to use this newly created extension attribute to populate the "skip provisioning" field. This setup ensures that Omada correctly identifies and handles the provisioning behavior (based on the specified attribute when users are added to groups that are configured to skip provisioning):
- Go to Setup --> Master data --> All systems.
- Locate the Omada Identity system. Click Edit.
- Click the Warehouse to portal mapping option.
- Search for Resources:
- Select the resource with the
Update or createoperation assigned. Click Edit. - Click the Mappings tab. Locate the Skip provisioning field.
- Add the following property:
Skip?WOH. Click OK.
Dynamic groups
Dynamic groups are a type of group membership that automatically includes or excludes users based on specific attributes or rules defined by administrators. Unlike traditional groups where members are manually added or removed, dynamic groups use dynamic membership rules to determine membership. By default, Omada is configured to read dynamic groups. You can add filter parameters to queries and mappings to exclude these groups from being read by modifying each URL.
Microsoft Teams does not support the creation of dynamic teams directly within the Teams interface or through Microsoft Graph API.
| Object type | Old URL | New URL |
|---|---|---|
| Resource (security groups) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true&$select=id,displayName,description,mailNickname | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified')) and NOT(groupTypes/any(s:s eq 'DynamicMembership'))&$count=true&$select=id,displayName,description,mailNickname |
| Resource assignment (security groups assignments – members) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified')) and NOT(groupTypes/any(s:s eq 'DynamicMembership'))&$count=true |
| Resource assignment (security groups assignments – owners) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified')) and NOT(groupTypes/any(s:s eq 'DynamicMembership'))&$count=true |
| Resources owners | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified')) and NOT(groupTypes/any(s:s eq 'DynamicMembership'))&$count=true |
| Resources (distribution groups) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true&$select=id,displayName | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified')) and NOT(groupTypes/any(s:s eq 'DynamicMembership'))&$count=true&$select=id,displayName,description,mailNickname |
| Resource assignment (distribution group assignments – members) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified')) and NOT(groupTypes/any(s:s eq 'DynamicMembership'))&$count=true |
| Resource assignment (distribution group assignments – owners) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified')) and NOT(groupTypes/any(s:s eq 'DynamicMembership'))&$count=true |
| Resource owners (distribution groups) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq false and NOT(groupTypes/any(s:s eq 'Unified')) and NOT(groupTypes/any(s:s eq 'DynamicMembership'))&$count=true |
| Resource (mail-enabled security group) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true&$select=id,displayName,description,mailNickname | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified')) and NOT(groupTypes/any(s:s eq 'DynamicMembership'))&$count=true&$select=id,displayName,description,mailNickname |
| Resource assignment (mail-enabled security group assignments – members) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter= onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified')) and NOT(groupTypes/any(s:s eq 'DynamicMembership'))&$count=true |
| Resource assignment (mail-enabled security group assignments – owners) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter= onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified')) and NOT(groupTypes/any(s:s eq 'DynamicMembership'))&$count=true |
| Resource owner (mail-enabled security group) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true | groups?$filter= onPremisesSyncEnabled eq null and mailEnabled eq true and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified')) and NOT(groupTypes/any(s:s eq 'DynamicMembership'))&$count=true |
| Resource (Sharepoint sites) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team')) and (not groupTypes/any(s:s eq 'DynamicMembership'))&$count=true&$select=id,displayName,description,mailNickname |
| Resource assignment (Sharepoint groups assignments – members) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team')) and (not groupTypes/any(s:s eq 'DynamicMembership'))&$count=true |
| Resource assignment (Sharepoint groups assignments – owners) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team')) and (not groupTypes/any(s:s eq 'DynamicMembership'))&$count=true |
| Resource owner (Sharepoint) | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team'))&$count=true | groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq true and (groupTypes/any(s:s eq 'Unified')) and NOT(resourceProvisioningOptions/any(s:s eq 'Team')) and (not groupTypes/any(s:s eq 'DynamicMembership'))&$count=true |
Excluding dynamic groups from provisioning using the Skip Provisioning field
-
In the queries and mappings of your security group, update the query URL to include the groupTypes field:
groups?$filter=onPremisesSyncEnabled eq null and mailEnabled eq false and securityEnabled eq true and NOT(groupTypes/any(s:s eq 'Unified'))&$count=true&$select=id,displayName,description,mailNickname,groupTypes
-
In the Mappings tab, create a new extension attribute named Skip?. Select Expression as the operator and use the following expression:
groupTypes == "DynamicMembership" ? "true" : "false". Click OK. -
Go to Setup > All Systems > Omada Identity.
-
Navigate to Data Synchronization > Export queries and mappings. Locate the Resources section and click Edit.
-
Go to the Mappings tab. Map the Skip provisioning destination to the Skip?WOH attribute created in the previous steps.
-
Run the data import. This will flag the Skip Provisioning field on the resource, preventing it from being provisioned.