Hello @Julie Peck ,

Yep, the standard approach in OutSystems is to create or sync users upon login. This could even save you on the users count in terms of the license since the users gets created only when they access the application. If user's name or any other claim is changed in Azure AD, this will get synced automatically when the user logs in to OutSystems app the next time.  Regarding Roles, It can be managed via User Groups. Based on User groups assigned on AD, you can automatically assign OutSystems groups which can have one or more OutSystems role assigned. This will automatically assign/remove roles upon login.

However If you want to pre-load users, we have used Microsoft Graph API to get users from Azure AD. You can create a timer that takes care of the synchronization of users at given interval based on your business need.  

Reference:

https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/api/users-operations#GetUsers

Thanks Babu - that all makes sense and I'll have a look at using the Graph API as you suggest.

@Babu Basha - sorry, another question now that I've spent a bit more time on your answer.  When you say "Based on User groups assigned on AD, you can automatically assign OutSystems groups which can have one or more OutSystems role assigned", do you mean by using the Active Directory Group Mapping - Overview | OutSystems Forge component?

Does that Forge component work with AAD as well as AD?  The reason I'm asking is that I'm using OutSystems Cloud but our AD is on-prem and so OutSystems wouldn't be able to connect to it.

If that Forge component doesn't work with AAD, is there any other way of achieving the same result.  Mapping AAD groups to OutSystems roles sounds like a really good solution for my scenario.  Thanks