Directory sync

ENTERPRISE

Firezone supports automatic directory sync from Google Workspace, Microsoft Entra ID, and Okta. This feature is automatically enabled when you create one of the Google Workspace, Microsoft Entra, or Okta connectors. No further configuration is necessary. Once the connector is activated, users, groups, and organizational units will be synced from your identity provider every few minutes.

How Firezone treats deleted entities

Firezone never deletes entities synced from your identity provider. This helps to preserve audit trails and other logged activity within Firezone.

Deleting or suspending a user

When a user is deleted or suspended in your identity provider, Firezone will disable the user and clear all active Client and admin portal web sessions for that user upon the next sync. The user will be signed out of all Clients and forced to reauthenticate.

This ensures terminated employees will have all Firezone access revoked within a few minutes of deleting or suspending them in your identity provider.

Deleting a group or organizational unit

When a group or organizational unit is deleted in your identity provider, Firezone will hide the group and delete any associated Policies.

Nested groups and organizational units

Firezone syncs transitive memberships from your identity provider. This means user membership for a particular group is determined not only by its immediate members, but any child groups as well. This allows you to create nested group structures in your identity provider and have their memberships automatically reflected in Firezone.

For example, if you had the following group structure in your identity provider:

Everyone:
  - steve@company.com
  Support:
    - patrick@company.com
  Engineering:
    - bob@company.com
    - alice@company.com
    Devops:
      - john@company.com

You would see the following group memberships in Firezone after sync:

Group:Everyone:
  - steve@company.com
  - patrick@company.com
  - bob@company.com
  - alice@company.com
  - john@company.com
Group:Engineering:
  - bob@company.com
  - alice@company.com
  - john@company.com
Group:Support:
  - patrick@company.com
Group:DevOps:
  - john@company.com