Azure (EntraID) Delta Aggregation - Sync Issues

IdentityIQ (IIQ) IIQ Discussion and Questions
, ,
1

We’ve been working with SailPoint IdentityIQ for the last couple of weeks trying to stabilize Azure AD delta aggregation for a tenant with 400K+ targeted user accounts, and I wanted to validate our approach with the broader community.

What we’ve tried so far:

  • Schema reduction (removing non‑essential attributes)

  • Removing PIM / privileged role aggregation - Though it was important for identity governance - To isolate the issue with PIM this was removed

  • Running delta on a single task server

  • Running delta on multiple task servers with user partitioning

  • Tuning thread counts and connector parameters in application XML

  • Validating that partitioning is successfully created and ROProcessors are running

Despite all of the above, delta aggregation does not consistently converge and remains in “DeltaSync in progress” state for extended periods, while full aggregation reliably completes within ~24 hours.

Based on this behavior, the recommendation we’ve received is to:

  • Create multiple logical Azure AD applications

  • Split the user population (e.g., core users vs privileged users, or segmented filters)

  • Use full aggregation for large populations and delta aggregation only for smaller, bounded scopes

My questions to the community:

  1. For large Azure AD tenants (300K–500K+ users), is this a known and accepted architecture?

  2. Have others found Azure AD delta aggregation to be unreliable at scale, even with partitioning?

  3. Is relying on full aggregation (or a split full+delta model) considered best practice in these scenarios?

2

Hi @RajeshPalani, two suggestions to make:

  • Make sure “Manage Exchange Online” is disabled.
  • After removing attributes from the schema, the delta token may still be referencing them. Deleting the delta token from the application may help.
1 Like
3

We also have similar issue as delta aggregation remains unreliable or takes quite long to complete. Please let me know if you happen to find a solution. Thank you!

4

For comparison, we have 68,000 Azure AD accounts.
A full aggregation, without partitioning and no changed accounts, takes just over an hour.
A delta aggregation when there are no changed accounts takes a few seconds.

What attributes do you have in the schema?

5

Yes. Our Lab tenants has close 10% of production and the delta works well as the non-production environment changes are very minimal or sometime null. Cannot compare this with real production data changes. I donot see “Manage Exchange Online” schema anywhere in application configuration for EntraID. Do you have any specific way to find this ?

6

The “Manage Exchange Online” is on the Settings tab, under Additional Configuration. What version of IIQ are you one?

What attributes do you have in your schema?

7

@RajeshPalani Additionally:

  • Please also check if you have any date related attribute like lastSignInDateTime which gets changed frequently
  • if you don’t need user risk module, you can remove risk schema attributes as well.
  • Do you have any customization rule in place? what it does?