- What happens if I turn off automatic provisioning using the toggle?
Switching the toggle to ‘Managed in Poppulo’ re-enables the ability to edit and add users directly in Poppulo. However, Entra will continue attempting to provision users on its schedule (typically every 40 minutes) unless your IT administrator also disables SCIM provisioning in Entra. When this happens, any manual changes you make in Poppulo may be overwritten.
For this reason, we recommend making updates in your identity provider first to avoid changes being reversed.
-
What happens to my existing manually created users if I start provisioning via SCIM?
When SCIM provisioning is enabled, Entra will treat your identity provider as the source of truth. Any users that were manually created in Poppulo must also exist in your identity provider with matching identifiers (such as email or Employee ID).
If a manual user also exists in your identity provider, SCIM will link to that record and begin managing it automatically.
If a manual user does not exist in your identity provider, SCIM may deactivate or overwrite that user depending on your provisioning settings.
To avoid unexpected changes, make sure all required users exist and are correctly configured in your identity provider before turning on SCIM provisioning.
-
If a user was previously a manual user and then becomes a provisioned user, do I need to re-activate them?
No. The Platform uses your unique identifier to check whether the user is already active. If they are, their status remains active after being overwritten as a provisioned user—no reactivation is required.
-
What happens if a user is assigned different roles through multiple groups for the same sub-account?
If a user receives conflicting roles from different groups within the same sub-account, Poppulo will automatically apply the highest-permission role based on our predefined role-priority matrix. This ensures the user always retains the most elevated access level assigned to them.
If you want to avoid this behaviour, please review and adjust your group configurations to ensure users are only assigned the intended role for that sub-account.
-
What happens if I hit my license limit?
When your organisation reaches its license limit, our API will return an error to your IT Administrator indicating that no additional users can be provisioned. Your Enterprise Administrator will also see this status in the platform. At this point, you’ll have the option to purchase additional licenses to continue adding new users.
-
What happens if my organisation is using custom roles?
If your organisation is using custom roles then these roles will still be available for you to select for your users.
- What happens if a user’s email or Employee ID changes in my identity provider?
If a user’s key identifier (email/Employee ID) changes in Entra:
- SCIM will send an update request to Poppulo
- The existing user will be updated rather than duplicated
- Their permissions and group assignments will remain intact.
-
What actions can and cannot be synced through SCIM?
- SCIM syncs the following:
- User creation
- User attribute updates
- User deactivation
- Group membership updates (depending on your configured mappings)
- SCIM does not sync:
- Passwords
- Authentication settings
- Role-specific permissions
- Account access
- Custom attributes not mapped in Entra
-
Can I manually edit a SCIM-managed user?
By design, SCIM-managed users are locked for manual editing in Poppulo. You cannot manually update attributes such as name, email, or group membership. Any changes made manually could be overwritten during the next SCIM cycle. All updates should be made directly in Entra, which acts as the system of record.
-
How do I safely migrate from manual users to SCIM provisioning?
Before enabling SCIM:
- Ensure all existing users exist in Entra
- Confirm identifiers (email/Employee ID) match exactly
- Configure and test your group mappings
- Purchase additional licenses if needed
- Enable SCIM provisioning once the identity provider is fully aligned
This avoids duplicates or users being unintentionally deactivated.
-
Are SCIM updates captured within our application?
Yes, SCIM updates are captured for auditing purposes. User updates will be captured in the logs just as they are today with manual user updates. However, please note that source IP address and active user information will not be available for these logs, as calls made through the Platform API do not provide the data required to populate those fields.
-
How does the Platform decide which role to assign when a user has multiple roles?
When a user belongs to multiple User Groups that grant different roles for the same account, the Platform must determine which role applies.
In general, the Platform assigns the most permissive role. For example, if a user is a member of User Group A with a Reports Only role and User Group B with an Account Administrator role, the user will be granted the Account Administrator role when they log in.
At the enterprise level, users provisioned as Enterprise Admins have full permissions by default.
However, at the sub-account level, if a user is explicitly assigned to a User Group with a lower role, that role takes precedence and overrides the inherited Enterprise Admin permissions for that specific sub-account.
Special Case: Group Manager Roles
Enterprise Roles configured as “Group Manager” have a score penalty of -10 applied.
This means that if two Enterprise Roles are otherwise identical, but one is a Group Manager and the other grants full access to all Sub-Accounts, the full access role will be chosen.
-
What Happens if 2 Roles Have the Same Power Score?
If two roles end up with the same score, the Platform will assign the role alphabetically by name.
