Workspace Group Reconciliation
Overview
Workspace Group Reconciliation keeps selected Workspace Items aligned with the membership of their source directory group. It is intended for environments where Workspace Items are backed by either Active Directory or Microsoft Entra ID groups and where ongoing synchronization is required after the initial provisioning process.
This feature is controlled through the Atria.WorkSpace.GroupReconciliation feature flag and is designed for phased rollout. The reconciliation jobs are disabled by default until the feature is enabled for an environment.
What It Does
When Workspace Group Reconciliation is enabled for a supported Workspace Item, Atria compares the item membership in Atria with the membership of the corresponding group in the source directory.
The reconciliation process can then:
- Add missing assignments into Atria when users are members of the source directory group.
- Remove assignments from Atria when users are no longer members of the source directory group.
- Log an error if the source directory group can no longer be found.
This allows Workspace Items to remain in sync with the authoritative directory source instead of relying only on manual updates inside Atria.
Supported Directory Sources
Workspace Group Reconciliation supports:
- Active Directory
- Microsoft Entra ID
The feature was introduced to support both Active Directory and Entra ID backed Workspace Items under the same Workspace service model.
How It Is Enabled
Workspace Group Reconciliation is not enabled for all environments by default.
Rollout requires:
- The
Atria.WorkSpace.GroupReconciliationfeature flag to be enabled. - The reconciliation jobs to be enabled as part of the rollout.
Once enabled, supported Workspace Items expose a Keep in Sync with Active Directory or Keep in Sync with Entra ID option, depending on the identity provider configured for the item.
Item-Level Behavior
Reconciliation is configured at the Workspace Item level.
When the feature is enabled:
- A toggle is available on supported Customer Workspace Items.
- The toggle label changes based on the identity provider for the item.
- Private Workspace Items are supported.
The toggle is not intended for all Workspace Item types. It should not be used for items that do not reconcile against a directory-backed group.
Limitations and Rules
The following rules apply to the current implementation:
- Groupless items are not valid reconciliation targets.
- Customer Only items are not valid reconciliation targets.
- If Create Group Item is disabled, the reconciliation toggle should not be used.
- For Entra ID reconciliation, only users that already exist in Atria with the Microsoft Online service can be synchronized. Users that do not exist in Atria are skipped.
These restrictions prevent reconciliation from being applied to item types that do not have a usable group relationship behind the scenes.
Active Directory Notes
For Active Directory environments, reconciliation relies on directory change tracking to detect membership updates efficiently.
As part of the rollout, upgraded environments may require the Directory Web Service account to have the following permission applied at the domain root:
Replicating Directory Changes
This is used to improve the reliability of incremental synchronization for Active Directory-backed reconciliation.
Entra ID Notes
For Microsoft Entra ID environments, the reconciliation process compares Entra ID group membership with Atria membership for supported Workspace Items.
If a user is a member of the Entra ID group but does not exist in Atria with the Microsoft Online service, that user is skipped during reconciliation.
Logging and Error Handling
Workspace Group Reconciliation includes improved logging so that add and remove actions are easier to interpret during job runs.
Examples of expected outcomes include:
- A user being added to a Workspace Item because they are now a member of the source directory group.
- A user being removed from a Workspace Item because they are no longer a member of the source directory group.
- An error being logged when the source group cannot be found.
Summary
Workspace Group Reconciliation provides a controlled way to keep Workspace Item membership synchronized with Active Directory or Microsoft Entra ID. It is intended for group-backed Workspace Items, is enabled through a feature flag and rollout process, and includes specific rules for unsupported item types and Entra ID user eligibility.