This article brings together common customer questions and practical answers based on typical Secureframe workflows, compliance situations and unique tech stacks.

It is meant as quick reference material for day-to-day use of the product.

Microsoft Entra / Azure AD

How should I switch from Entra ID to Rippling as my source of truth for personnel data?

• If you're transitioning from Entra ID to Rippling for your HR integration with Secureframe, follow these recommended steps to ensure a smooth switch:

  Connect Rippling first: Rippling has higher precedence for all personnel attributes. When both integrations are connected, Secureframe will prioritize data from Rippling.

  Review personnel data: Once Rippling is connected, go to the Personnel Details page to verify that data is syncing correctly. You can also see the source of each attribute to help identify any gaps.

  Only remove Entra after confirming Rippling data is correct: Keeping Entra connected temporarily allows for comparison and validation. Once you're confident that Rippling is supplying complete and accurate data, you can safely uninstall the Entra ID integration.

  Tip: Users with matching names/emails in both systems should be automatically mapped over when Rippling is connected.

If I deactivate a service in Microsoft/Entra or mark it as "Ignored" in Secureframe, will it automatically update or disappear?

• Deactivating a service in Microsoft/Entra will update in Secureframe within 24 hours (after the next sync runs), but the application will remain in your Detected Applications list—it won't automatically disappear. Similarly, if you mark a vendor as "Ignored" and then remove it from Entra, it will stay on your Ignored list in Secureframe. Detected Applications is essentially a historical log of applications we've detected, giving you visibility into what's been connected. You can choose to add them to your vendor inventory or keep them ignored, but the list itself doesn't automatically remove entries when connections are deactivated.

Once integrated with Azure, does it allow for SCIM provisioning?

• Not at this time, but it is on our roadmap. Add to the current feature request if customers are interested.

Does the Jamf Pro integration support Okta OIDC credentials?

• No, the Jamf Pro integration does not support Okta OIDC credentials. The integration only accepts a Jamf native service account using a username, password, and domain. You'll need to create a dedicated service account directly in Jamf Pro and use those credentials to connect.

Is there a fast pass option for Okta login?

• We do not currently support this specific Fast Pass feature from OKTA.

  Okta FastPass is included with certain Okta packages, but not available in all plans by default.

What does the error “User is not assigned to the client application” mean when connecting Okta?

• This error indicates an issue with the Okta configuration. Specifically, the user attempting to establish the connection is not assigned to the relevant Okta application. To resolve this, ensure the user is assigned to the application in Okta. You can follow the steps outlined in the Okta support article below and confirm step 4 of the connection form in the Secureframe portal is completed correctly:
  https://support.okta.com/help/s/article/How-To-Assign-An-User-To-An-Application?language=en_US

What does the new Okta integration update mean, and do I need to take any action?

• Secureframe now supports real-time updates for Okta, which allows us to detect and reflect user changes more quickly in the platform.

  If you're setting up a new Okta connection, you’ll be prompted to enable this feature automatically.

  If you're using an existing Okta integration, no action is required to maintain your current sync. However, to take advantage of real-time updates, you’ll need to reconnect the integration and follow the updated steps to grant the required permissions:

  okta.eventHooks.manage

  okta.eventHooks.read

  You'll see a message in the platform (like the one shown above) guiding you through the process. Reconnecting will not disrupt your existing sync or data.

Why does my Okta integration disconnect every few months and require reconnecting?

• In some Okta configurations, refresh tokens automatically expire after a fixed period (commonly around 90 days), even if they are set as persistent. When this happens, Secureframe can no longer refresh the access token and the integration will disconnect, requiring you to reconnect Okta.

  This behavior is driven by Okta’s authorization server and token expiration policies and can occur across many third-party integrations — it is not specific to Secureframe.

  We regularly request and rotate refresh tokens while the integration is active, but in certain Okta setups the refresh token will still expire after its maximum lifetime.

  What you can do:

  Reconnect the Okta integration when prompted to restore syncing.

  Review your Okta authorization server and token lifetime settings to confirm refresh token behavior.

  If this occurs frequently, you may consider using Okta API token authentication instead. This avoids the refresh token expiration limit, but requires manual token creation and rotation.

  If you continue to experience repeated disconnects, please contact Support so we can review your Okta configuration and recommend the best option.

Will personnel imported from a new SCIM connection duplicate entries from an existing integration?

• Secureframe will typically match new records to existing users based on first name, last name, and email, so duplicates shouldn’t occur. However, there can be cases where the system doesn’t recognize a match, and a manual merge may be needed to combine duplicate accounts.

What are the additional fees for enabling Single Sign-On (SSO) for a client account?

• Single Sign-On (SSO) is included at no additional cost for customers on the Complete plan.

  If you're not on the [Complete plan](https://secureframe.com/pricing), please contact your Account Manager or email accountmanagement@secureframe.com for pricing details.
  [](https://secureframe.com/pricing)[](https://secureframe.com/pricing)

What happens to personnel profiles in Secureframe when an SSO integration is disconnected?

• If an SSO integration is disconnected but remains added in Secureframe, the personnel profiles will stay in the platform. However, if the integration is archived, you’ll have the option to delete the personnel associated with that integration.

Users were able to log in with Google accounts but can no longer do so. What should I check first?

• Check the integration filter settings for the Google Workspace connection. If a filter is configured that excludes users matching the customer's domain (e.g., NOT email:*domain*), those users will be discarded during sync and won't be able to log in. Ask the customer to review their filter logic and correct it so their domain is included rather than excluded. Once the filter is updated, affected users will be pulled in on the next sync.

Is there an option to restrict user sign-in methods to only Google OAuth instead of using a password?

Alternate sign-in methods for Secureframe can be managed in the Company Settings > Single Sign-On tab. To enable these methods, your domain must first be claimed. If your domain is not yet claimed, please contact support to initiate the process.