I have read through several past KB articles regarding configuring PRTG with Azure AD SSO, managing SSO user groups, and using notification templates to send notifications to SSO users. Some of these go back several years, so I'm not sure what the current status of development is related to what we are trying to do.
Our intention was to use Azure AD groups for two purposes:
1. To have one Azure AD group for PRTG Administrators and another Azure AD group for PRTG Read Only users.
2. To have around ten Azure AD groups identifying different sets of SSO users that need to be notified when specific alarm conditions occur so we can manage membership of these groups in Azure AD and reference these SSO groups in PRTG Notification Templates.
We have this currently set up in our PRTG instance, but we are running into issues. For example, some users are getting assigned to multiple SSO user groups, and others are not. Also, changing user membership in Azure AD for user groups doesn't get reflected in Azure AD for some time, presumably until the users with changed group membership log in to PRTG with SSO.
Based on reading through all the KB questions and answers around these topics, it seems this is not a design pattern supported by PRTG for the following reasons:
A. PRTG only "synchronizes" with Azure AD when an SSO user logs in, so things like changes to Azure AD group membership are not reflected by PRTG. For example, if a user is removed from an Azure AD group, they will still get PRTG notifications because PRTG still thinks they are a member of that SSO group (and like will continue until that user logs in to PRTG next.)
B. PRTG only supports SSO users belonging to a single Azure AD group identified in PRTG. If a user belongs to multiple Azure AD groups, they may only be assigned to one of them in PRTG, and will get PRTG permissions according to whichever group they get assigned to. If an SSO user in PRTG ends up in more than one SSO User Group in PRTG with different permissions, they may get permissions of one or the other group, not resolving permissions based on most or least restrictive security or anything like that.
So my two part question is...
Are the assumptions above from past KB questions and answers still accurate, or have these been resolved in recent versions of PRTG such that our original plan above can be implemented?
If the original plan above cannot be implemented, our fallback plan is to use two Azure AD groups, one for PRTG Admins and one for PRTG Read Only users, and to maintain the lists of SSO users that should be notified as individual users selected in PRTG Notification Templates. Is this the approach PRTG would recommend for managing who should be notified for different alert conditions in PRTG using Azure AD SSO users?