Deep Dive - How does Connect to AD work?

Connect to AD synchronizes employee data between the source (UKG Pro, Ready, or Onboarding) and the target (Active Directory or Entra ID) through a scheduled synchronization process.

This article explains exactly how that sync works, step by step.

Step 1 — The Sync Starts

Syncs run automatically at scheduled intervals through a task on your application server where Connect to AD is installed. They can also be started manually when needed.

Step 2 — Reading the UKG API

The sync first reads data from the UKG API to check for any changes in user records.

Step 3 — User Matching

After collecting data, Connect to AD searches for matching users in the target system (AD or Entra ID) using a linking attribute that identifies the same user on both sides.

  • If a matching user exists, their data is reviewed and updated if needed.
  • If no match is found:
    • If automatic provisioning is off, the user is ignored.
    • If provisioning is on, Connect to AD checks whether the user meets the provisioning conditions.
    • If the conditions are met, a new user is created.
    • If not, the user is skipped.
Step 4 — Processing Data

Matched or new users are handled using mapping rules that specify how UKG data corresponds to the target system. There are two primary types of mappings:

  • Field mappings, which update user attributes (or properties).
  • Group mappings, which controls AD group memberships.
Step 5 — Field Mappings

The system compares mapped fields between UKG and the target directory using expressions.

  • If nothing has changed, it moves on.
  • If a difference is found, the target field is updated according to the mapping rule.

Example:
If an employee’s department changes in UKG, that update will be reflected in AD after the next synchronization.

Step 6 — Group Mappings

Group memberships are reviewed and updated:

  • If a user meets the condition to be in a group and they are not in it, they are added. If they are already in the group, no action is taken.
  • If a user does not meet the condition to be in a group and they are in it, they are removed.

Example:
When an employee transfers from Sales to Operations, Connect to AD automatically updates their group membership.

Step 7 — Notifications

When the sync finishes, Connect to AD checks if notifications are set up. If a notification’s send condition is met, it’s sent automatically.

Step 8 — Completion

After all mappings and updates are complete, the sync concludes. A log is generated summarizing what was updated, created, or skipped during the process.

Master sync.jpg
 

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.