This tool synchronises Orchestrator users with Windows or Azure Active Directory, based on AD group membership mapped to Orchestrator Roles.
New users in AD are added to Orchestrator and existing users added moved to the correct Role.
Azure AD users are matched by comparing the Azure AD user principal name with the user Email in Orchestrator.
The script also handles removing Orchestrator users from roles when they were removed from the corresponding AD group.
AD users that were removed from all relevant AD groups (e.g. an employee that changed role) or were removed from AD (e.g. a former employee that left the company) become 'orphaned users'. They are still defined in Orchestrator but do not have any Role. The script supports the OrphanedUsersAction parameter allowing to optionally List or Remove these users.
The script is idempotent, repeated invocations should not modify the Orchestrator users unless something changed in AD.
You should first import the UiPath.PowerShell module and authenticate yourself with your Orchestrator using Get-UiPathAuthToken before running this script.
The script does not modify the Admin user roles membership, even if the Email matches the AzureAD domains. This is a common scenario and can result in accidentally locking Admin user out of Administrators group.
The script adds new Orchestrator users using the Azure AD DisplayName as Name and leaves Surname empty. It does not try to split the DisplayName and figure out the Surname.
Easily sync AD users to Orchestrator by using this script.