User and Group Sync in Cloud DLP

Cloud DLP maintains an up-to-date user and group catalog to support accurate policy enforcement and reporting. This is achieved by means of a combination of periodic full synchronization and event-driven updates.

Full synchronization establishes a consistent baseline, while event-driven synchronization minimizes delays in reflecting group membership changes. Together, these mechanisms provide accurate and near real-time visibility for policy enforcement.

Sync Mechanisms

• Periodic Full Sync

• Event-Driven Incremental Sync

Periodic Full Sync

With Periodic Full Sync mechanism, the system performs scheduled full synchronizations to ensure consistency of users, groups, and memberships.

• Standard tenants (Cloud DLP with integrations):

  • Users & Groups: every 12 hours

  • Group Memberships: every 24 hours

• TSD-only tenants (no integrations):

  • Full sync (users, groups, memberships): every 7 days

 

Event-Driven Incremental Sync

Event-Driven Incremental Sync mechanism provides near real-time updates, Cloud DLP supports event-driven synchronization for group membership changes.

When supported audit/event logs are enabled (e.g., Entra ID Audit Logs), updates are reflected within minutes.

Supported triggers include:

• User added to a group

• User removed from a group

• Changes in role/group membership

For these events, the system updates the user’s group memberships dynamically, ensuring policies relying on group context stay accurate.

 

Important Notes

• User lifecycle changes (create, update, delete) are handled via periodic full sync only (not event-driven).

• Event-driven updates apply to group membership, not full user or group objects.

• When an event-driven update is received, the system refreshes the user’s full group membership context.

• Event-driven sync is supported for:

  • Microsoft Entra ID (via Audit Logs)

  • Okta

  • Google Workspace

 

Related Topic:

Users Catalog