When connecting a directory (like Entra ID) to OneLogin, you might find that everyone from that directory is being pulled into the system. If you only want users from a specific domain (e.g., abc.com) to have access, the extra users from other domains can clutter your database and consume paid seat licenses.
The standard sync process for certain directory connectors is "non-granular." This means the system is designed to import the entire list of users at once rather than letting you hand-pick specific folders or groups during the initial setup.
Since you cannot stop the users from syncing initially, you must create a "Mapping" rule to manage them once they arrive.
Step 1: Identify a Unique Trait
Step 2: Create a Mapping Rule
Step 3: Set the Automated Action
Step 4: Reapply Mappings
To manage domain-specific access, administrators must identify a unique user attribute to create an automated mapping rule that identifies unauthorized users and triggers a status change to unlicensed or suspended, ensuring the rule is reapplied to the existing user list.
Use custom Fields as well as below if you have the feature available in your tenant:
----------------------------------------------------------------------------------------------------
The Microsoft export from Entra ID is non-granular, meaning all users will be imported into your OneLogin account by default.
To manage this, you can create mapping rules based on Entra ID group names to disable or unlicense users you do not want. Here’s a rough outline using your OneLogin administration portal:
1. Create a Custom User Field:
• Create a custom user field to import Entra ID group data for a user. (https://onelogin.service-now.com/support?id=kb_article&sys_id=653d60e6973b2150c90c3b0e6253afd2)
2. Map the Custom Field:
• Map this field to the corresponding Entra ID field in your Entra ID Directory Connector. (https://onelogin.service-now.com/support?id=kb_article&sys_id=92ee20a3874e8a90f7b8a7dd3fbb3518)
3. Create a Mapping Rule:
• Create a mapping rule to exclude the users. Initially, you might want to test with an action like “place in role NOTWanted” before unlicensing them.
For detailed instructions on mapping rules, refer to this (https://onelogin.service-now.com/support?id=kb_article&sys_id=1b1da0e6973b2150c90c3b0e6253afb9)
Set up your rule as follows:
• Condition: If EntraIDGroupsField is not <blank> (i.e., leave the text box empty so that this identifies any user who was imported from Entra ID).
• Condition (and): If EntraIDGroupsField does not contain <Your particular group>.
• Action: Set role to NOTWanted.
This way, all users get imported and store details about the Entra ID groups they belong to. Users not in your chosen Entra ID group get added to the NOTWanted role. If this setup seems suitable, you might then set it to remove their license.
© 2026 ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center