One of the noteworthy features of Project Online is the Active Directory Synchronisation capability.
Instead of adding individual users to your Project Online instance, administrators can save time by synchronising the Enterprise Resource Pool, as well as the user Security Groups, with groups in Active Directory. This is particularly beneficial for larger Project Online user communities – providing an efficient and reliable way to add resources and users to the instance, reducing an administrative burden.
Whilst there are some efficiencies to be gained, there are also some significant ‘Gotchas’ to be aware of, which will now be explored.
The most important thing to be aware of when considering whether to configure Active Directory Synchronisation for your Project Online instance is that the AD sync is only one-way, which Microsoft advise is by design.
Changes made to a user account or resource profile in Project Online will not be reflected in Active Directory. For example, if a user is marked as ‘Inactive’ in Project Online, this will not affect the user/resource in Active Directory where they will remain an active member of the related AD group. When the sync runs, the user/resource profile will be reactivated in Project Online.
Another common Gotcha is the assumption that after removing users from an Active Directory group used to synchronize user accounts, they will show as ‘Inactive’ in Project Online. However, this is not the case. When a user is deactivated in Active Directory, the following will occur:
- The user will no longer be able to log in to Project Online
- Their user account will still be marked as ‘Active’ in the Project Online Resource Center
- Administrators will no longer be able to make any changes to the user/resource profile in Project Online, i.e. because the user can no longer be linked to an AD account (See screenshot below). Administrators will therefore not be able to update their account status to ‘Inactive’ or amend any other resource metadata.
The way to navigate this mystification is as follows:
- Begin by making ALL necessary updates to the user/resource profile in Project Online, i.e. update the account status to ‘Inactive’ as well as any other amendments required
- Then remove/deactivate the resource/user in the related AD group BEFORE the synchronisation occurs
If resources/users have already been removed/deactivated in Active Directory before they could be updated in Project Online, you could always ask a tenant admin to temporarily reactivate them in Active Directory, make the necessary changes to the user/resource in Project Online, and then deactivate them in Active Directory again.
The alternative option is to use the ‘Deactivate User’ feature from the PWA Settings > Manage Users toolbar.
Whilst this will enable an Administrator to mark a user/resource as ‘Inactive’, the user/resource profile will still be locked for editing.
If your organisation would like help with Microsoft Project Online, please get in touch to speak to a member of our team about training, consultancy or support.