Integrate Your Directory with Zoho Directory Identity Connect | Sync Users from LDAP - Zoho One

Integrate Your On-premises Directory with Zoho Directory Identity Connect

Roles required to perform this action

  1. Organization admin
  2. Organization owner
Zoho Directory Identity Connect is an on-premises agent that connects your organization’s Active Directory to Zoho One. It enables automated synchronization of users, groups, and directory attributes from your on-premises directory to Zoho One, reducing the need for manual user management.
The Identity Connect Agent runs within your network and communicates securely with Zoho One to keep directory data up to date based on the sync rules you define, such as organizational units, attributes, and filters.
The Identity Connect Agent runs continuously on your Windows machine to maintain synchronization as long as network connectivity is available. A configuration interface (tray app) is also installed for admins to manage configurations.
Identity Connect also supports an optional Password Sync Agent, which can be installed on selected Domain Controllers to capture password changes in Active Directory and sync them to Zoho One in near real time. This allows users to continue signing in to Zoho services using their Active Directory credentials.
When Identity Connect is enabled, Active Directory remains the primary source of truth for user discovery and lifecycle, and Zoho Directory reflects changes based on directory state and sync rules.
Notes
If you plan to enable password sync, review the Password Sync Agent prerequisites later in this guide.
This guide walks you through installing Identity Connect, configuring directory sync, and optionally setting up password sync agent.

The steps to set up this integration vary for the two User Interface versions supported in Zoho One. Select the UI version you use from the tabs below and proceed with the steps thereunder. 
Spaces UI
UUI
Spaces UI
Download and install the Identity Connect Agent on a machine that meets the following requirements
  1. Supported platforms: 64-bit Windows Server 2008 or later / Windows 10 or later
  2. LDAP user credentials with read access to your directory
  3. The agent must be installed on a machine within the same network as your LDAP server (preferably a Domain Controller if you also plan to install the Password Sync Agent)

  1. Download the Agent

    1. Sign in to Zoho One. Click  in the top-right corner.
    2. Go to the Directory Stores tab. Click Add Directory.
    3. Find Active Directory and click Add.
    4. On the Download Agent screen:
      1. Review the prerequisites.
      2. Copy the Installation Key displayed there.
      3. Click Download Agent and wait for the download to complete.

  2. Install the Agent

    1. Execute the downloaded file ZohoDirectory_IdentityConnect.msi to start installation.
    2. Paste the Installation Key. Upon successful validation, you'll be taken automatically to the setup wizard where you can complete the rest of the installation steps.
    3. On the Welcome screen, choose your language.
    4. Read the software license agreement carefully, then accept the terms. Click Continue. Clicking the URL will not auto-redirect you to the page in some legacy systems, so click 🔗 to copy the URL, then paste it in your browser to read up.

           

    5. Open the provided Login URL from a browser.

           

    6. Sign in to your Zoho One admin account if you haven't already.
    7. Enter the Verification Code shown in the installer.
    8. Upon successfully signing in, a confirmation screen with your Zoho account email and display name appears. Click Continue.

           

    9. Once the agent is installed, complete the sync setup in Zoho One.

      Possible error cases that appear at this step:

      Error
      Fix
      The verification code is time-bound and will become invalid after the expiration time (5 minutes).
      Click Retry to generate a new code, which you can use to sign in and proceed to configuring your LDAP settings.
      Sometimes, the agent may not be able to contact the Zoho server due to network issue.
      Click Retry. If the error persists, contact support.

  3. Configure Sync in Zoho One

    1. Configure LDAP Connection Details

      1. This is a crucial step where the agent is allowed to connect with Active Directory to fetch data of users and groups for sync.
      2. Enter your directory info: Domain Name, Domain Controllers, User's Distinguished Name (DN), Password. Make sure they're all valid.

             

      3. Enable SSL for a secure connection:
      4. SSL is recommended, as it safeguards sensitive directory data during transmission.
      5. To use SSL:
        1. Your Domain Controller must have a valid SSL certificate issued to its domain.
        2. You must use the fully qualified domain name (FQDN) in the field dedicated for entering Domain Controller names (e.g., ldap-server-1.zylker.com). Using only the hostname will cause SSL failure.
      6. Click Next to review the LDAP configurations. If you face the error 'LDAP server goes unreachable,' click Retry to attempt the connection again. Make sure that there's no connectivity issue between the agent machine and LDAP server.

    2. Complete Installation

      1. Click Install to finish setting up the agent. Upon successful installation, the agent will be running.
        Note: Ensure the agent machine maintains continuous network connectivity according to your organization's power-saving or login-based policies.
      2. Click  to perform the following actions:
        1. Change ownership - Switch the Zoho One admin account linked to the agent in case the original admin leaves your organization or loses LDAP access.

               

        2. Change LDAP settings - Modify your LDAP server details here. After making changes, click Update to save them.
      3. Go back to the Zoho One Admin Panel to complete the remaining setup.

    3. Configure Sync Options

      1. Select Organizational Units (OUs)

        1. From the Zoho One's Directory Stores, navigate to Active Directory.
        2. Choose which OUs you want to sync to Zoho One.
        3. Select object types to include:
          1. Users
          2. Groups
          3. Security Groups
          4. Custom LDAP Query - Enter a valid LDAP query and click Save to sync based on specific LDAP attributes.
        4. Review the chosen OUs:
          1. Edit or remove any of those existing OU preferences.
          2. To add more OUs, click Add OUs.
          3. When you're done, click Add and Continue.

      2. Map Zoho One fields with your LDAP fields

        1. This is important for making sure user data is correctly transferred.
        2. Toggle between User Mapping and Group Mapping.
        3. Fields will be auto-suggested, but you can map them manually.
        4. Use the tabs to filter by All Fields, Mapped, or Unmapped fields. For example, you can map the Zoho One "Last name" field to your LDAP "Surname" attribute.
        5. For custom attributes:
          1. Click Edit next to one of the default attributes displayed.
          2. Select Custom AD attribute.
          3. Enter a name for the attribute and save it.

      3. Define Sync Criteria

        1. On the SET SYNC CRITERIA screen, specify which users or groups should be included in the sync. Switch to the Groups tab if needed.
        2. Select import type: Based on criteria / All users
        3. If using criteria: Define Field, Relationship, and Value. Click Save and Next.

    4. Configure Sync Settings

      1. Password Sync Agent (Separate installation)

        1. The main Identity Connect Agent, when coupled with your Active Directory details, allows you to deploy multiple Password Sync Agents (one per Domain Controller) to instantly capture any password change made on these Domain Controllers and securely sync those changes to Zoho One.
        2. Prerequisites to use the Password Sync Agent:
          1. Use an LDAP account with Domain Admin-level privileges. The same account credentials provided during the Identity Connect setup will be used for this installation.
          2. Ensure Powershell remoting (WinRM) is enabled on every Domain Controller where you plan to install the Password Sync Agent. You need not enable WinRM on Domain Controllers where the agent will not be installed. Learn how to enable WinRM
          3. Ensure SMB (Server Message Block) is enabled on both the machine initiating the installation and the target Domain Controller and is also allowed through the firewall (SMB typically uses port 445). Learn how to detect and enable SMB
          4. The machine with the Identity Connect Agent must be bound to the Active Directory domain.
        3. To enable:
          1. Enable the toggle to sync the user passwords securely from Active Directory to Zoho One. (Domain Name is auto-filled based on the info you entered for the Identity Connect Agent installation.)
          2. Select the Domain Controllers where password sync is needed and make sure all of them meet the exclusive requirements to house this agent.
            Info
            The Zoho Directory Identity Connect agent transfers the Password Sync Agent installer file to the selected Domain Controller over SMB. If SMB is disabled or blocked, the file transfer will fail and the installation cannot proceed.
            The file being transferred is the Password Sync Agent installer MSI file (ZohoDirectory_PasswordSynchronizer.msi), which must be successfully copied from the machine where the Zoho Directory Identity Connect Agent is installed to the selected Domain Controller. SMB is only required during this file transfer stage. Once the installation is complete, SMB is no longer required.
          3. Select whether you want to auto-restart the Domain Controllers after installation. Regardless of what you choose, the password sync agent takes effect only after a Domain Controller restart.
        4. If installation fails, the installer will only display Installation failed. Most usual causes are when one or more of the prerequisites are not available:
          1. The provided account doesn't have Domain Admin rights
            Notes
            If installation fails due to insufficient privileges:
            The Password Sync Agent installation requires elevated permissions to perform remote operations such as file transfer and command execution on Domain Controllers. If the account configured in the Identity Connect Agent does not have sufficient privileges, the installation may fail.
            To resolve this:
            1. Open the Identity Connect Agent on the machine where it is installed.
            2. Update the directory credentials to an account with Domain Admin privileges.
            3. Save the changes and retry installing the Password Sync Agent from the Admin Panel.
            Updating the credentials does not require reinstalling the Identity Connect Agent. If installation continues to fail after verifying permissions, WinRM, and SMB availability, contact Zoho One Support for further assistance.
          2. WinRM is not enabled on the Domain Controller.
          3. The agent file could not be transferred to the Domain Controller because SMB service is either disabled on one of the machines or blocked by the firewall (port 445).

            Note: If a directory-synced user is deleted from Zoho One, password changes for that user in Active Directory will not sync unless the user is re-provisioned in Zoho One.

      2. User Sync Settings

        1. Configure automated rules for user account handling based on changes in Active Directory.
          Setting
          What it is for
          Options
          Password Notifications
          Decide how new users get their initial passwords
          Send email OTP to user - The new user will receive an email directly to their registered email address containing an OTP.
          Send email OTP to admin - Admin will receive the OTP or setup info, which they should then forward to the user manually.
          Don't notify - No automatic notifications are sent. An admin should manually notify the user and provide them with their login credentials through some other medium on their own.
          Status Sync

          Choose how to reflect a user's AD account status changes in Zoho One.
          Reflect - If disabled in AD, Zoho One account also gets disabled (and re-enabled if restored).
          Do nothing - Ignore AD status changes.

          If Do nothing is selected, the system will no longer manage user status. The When User Leaves Selected OU setting will be disabled and unavailable, as it requires Status Sync to be enabled. Learn more about this interactive behaviour illustrated after the table.
          Mail Notifications
          Choose whether you want to send notifications to synced users.
          Send - Sends emails to newly synced users and resend invite links to pending users.
          Don't send - No email notifications are sent to users.
          When User Leaves Selected OU
          Define what should happen in Zoho One when a user is moved out of a selected/synced AD OU.
          Disable - The user's Zoho account is auto-disabled.
          Do nothing - The user's Zoho account remains active, but will no longer be included in the future sync operations.
          Important note: There's a crucial interaction between Setting 2 and Setting 4. The When User Leaves Selected OU setting depends on Status Sync. The former is only available if the latter is set to Reflect in Zoho One. If you choose to Do nothing with status changes, the system cannot manage user status based on OU membership. Therefore, Setting 4 will be disabled altogether. For example, let's assume there's a user named Dexter in AD and see how he's affected during sync with these two settings:
          Status Sync
          When User Move Out of Selected OU
          Action performed on Dexter (in AD)
          Result (in Zoho)
          Reflect in Zoho One
          Disable in Zoho One
          Dexter is removed from OU but still active in AD
          Dexter's Zoho account is disabled (OU rule applies)
          Do nothing

          (field gets disabled with Do nothing selected)
          Dexter is removed from OU
          Dexter's Zoho account remains active but is no longer synced (because Status Sync setting is ignoring status changes, and OU-based handling is off)
        2. Reflecting hard deletion of users from Active Directory to Zoho One:
          When Zoho Directory Identity Connect is enabled, Active Directory acts as the source for user discovery. If a user is deleted or disabled in Active Directory, the corresponding action in Zoho One depends on the configured Status Sync setting.
          When Status Sync is set to Reflect, users disabled or removed in Active Directory are disabled in Zoho One. If your organization requires users to be completely deleted from Zoho One instead of just disabled, contact Zoho One Support to enable this configuration for your account. Enabling deletion propagation will permanently remove users in Zoho One when they're disabled/deleted in Active Directory.
          For step-by-step instructions on deleting users and handling ownership transfers, see How to Delete a User
          NotesNote on admin deletion: Each Identity Connect configuration is associated with a Zoho One admin. To ensure uninterrupted sync, the system will not allow the deletion or disablement of an owner-admin. You must first use the Change Ownership option in the tray app to transfer dependencies to another admin; only then can the original account be removed. You must reassign ownership to another admin. If you attempt deletion directly, the system will block the action and place them in a "delete-pending" state until all dependencies are cleared.
          1. Deleting a directory-synced user from Zoho One: Deleting a user in Zoho One does not remove the user from Active Directory.
            WarningWarning on data loss: If "Delete in Zoho One" is enabled, removing a user from Active Directory will permanently erase their Zoho mail, files, and service data. This data cannot be recovered even if the user is re-synced later from Active Directory.

            COMMON SYNC SCENARIOS AFTER USER DELETION:             The following scenarios illustrate common outcomes based on typical configurations. Actual results depend on sync criteria and status settings.

            Scenario
            Action in ZD
            Action in AD
            Manual Sync Result
            Scheduled Sync Result
            Manual re-creation
            User deleted
            User exists & meets criteria
            User appears in "Users to Create"
            User is automatically re-created
            Complete removal
            User deleted
            User deleted
            No action
            No re-provisioning (user remains deleted)
            Mixed Zoho & AD actions (or) Conflicting actions
            User deleted
            User deleted User disabled/moved out of synced OU
            Depends on Status Sync setting
            Depends on Status Sync setting

      3. Schedule Sync

        1. Set frequency (Daily/Weekly/Monthly) and time of sync. Click Save and Next.
          Changes in Active Directory or Zoho One are reflected based on the configured sync schedule and may not appear immediately.

      4. Review and Finalize Sync

        1. Review and select users from the imported list to add to Zoho One. This screen helps you with filters:
          1. New Users - Users found in your directory but not yet in Zoho One.
          2. Users to Update - Existing Zoho One users whose info will be updated from your directory in the next sync.
          3. Marked for Activation/Disable - Users who will be activated or disabled based on their status in your directory. Pay attention to this category of users before syncing in order to avoid unintended modifications to their access levels.
          4. Ignored - Users who do not meet the defined sync criteria.
        2. Click Add and Continue.
        3. Review the summary and click Finish to complete the setup. Once installed on multiple Domain Controllers, the Password Sync Agents work together under the same Identity Connect configuration, keeping all password updates in sync without extra manual steps.
At this point, you're done with the Identity Connect setup. The system will now automatically sync your AD users and groups to Zoho One based on the rules you have defined.
Additionally, you will be able to view the detailed status of both the Identity Connect Agent and the Password Sync Agent in the following formats:

Identity Connect Agent
Domain controller(s): The Domain Controllers the agent is configured to sync with.
Agent version: The current version of the agent.
Device name: The name of the machine where the agent is installed.
Status: Connected / Disconnected.
Last sync: The timestamp of the last successful sync.

Password Sync Agent
This section lists each Domain Controller and its password sync status. All agents listed here belong to the same Identity Connect set-up, making it easier to monitor multiple Domain Controllers from one place.
Status: Connected / Disconnected.
Installation status: Installation initiated / Installation complete / Installation failed

Troubleshooting the "Disconnected" Status

If the agent status shows Disconnected,
  1. Verify that the machine has active internet connectivity.
  2. Ensure the system date and time on the machine are correct.
If the status persists, contact Zoho One support
UUI
Download and install the Identity Connect Agent on a machine that meets the following requirements
  1. Supported platforms: 64-bit Windows Server 2008 or later / Windows 10 or later
  2. LDAP user credentials with read access to your directory
  3. The agent must be installed on a machine within the same network as your LDAP server (preferably a Domain Controller if you also plan to install the Password Sync Agent)

  1. Download the Agent

    1. Sign in to Zoho One. Click Directory from the left menu.
    2. Go to the Directory Stores tab. Click Add Directory.
    3. Find Active Directory and click Add.
    4. On the Download Agent screen:
      1. Review the prerequisites.
      2. Copy the Installation Key displayed there.
      3. Click Download Agent and wait for the download to complete.

  2. Install the Agent

    1. Execute the downloaded file ZohoDirectory_IdentityConnect.msi to start installation.
    2. Paste the Installation Key. Upon successful validation, you'll be taken automatically to the setup wizard where you can complete the rest of the installation steps.
    3. On the Welcome screen, choose your language.
    4. Read the software license agreement carefully, then accept the terms. Click Continue. Clicking the URL will not auto-redirect you to the page in some legacy systems, so click 🔗 to copy the URL, then paste it in your browser to read up.

           

    5. Open the provided Login URL from a browser.

           

    6. Sign in to your Zoho One admin account if you haven't already.
    7. Enter the Verification Code shown in the installer.
    8. Upon successfully signing in, a confirmation screen with your Zoho account email and display name appears. Click Continue.

           

    9. Once the agent is installed, complete the sync setup in Zoho One.

      Possible error cases that appear at this step:

      Error
      Fix
      The verification code is time-bound and will become invalid after the expiration time (5 minutes).
      Click Retry to generate a new code, which you can use to sign in and proceed to configuring your LDAP settings.
      Sometimes, the agent may not be able to contact the Zoho server due to network issue.
      Click Retry. If the error persists, contact support.

  3. Configure Sync in Zoho One

    1. Configure LDAP Connection Details

      1. This is a crucial step where the agent is allowed to connect with Active Directory to fetch data of users and groups for sync.
      2. Enter your directory info: Domain Name, Domain Controllers, User's Distinguished Name (DN), Password. Make sure they're all valid.

             

      3. Enable SSL for a secure connection:
      4. SSL is recommended, as it safeguards sensitive directory data during transmission.
      5. To use SSL:
        1. Your Domain Controller must have a valid SSL certificate issued to its domain.
        2. You must use the fully qualified domain name (FQDN) in the field dedicated for entering Domain Controller names (e.g., ldap-server-1.zylker.com). Using only the hostname will cause SSL failure.
      6. Click Next to review the LDAP configurations. If you face the error 'LDAP server goes unreachable,' click Retry to attempt the connection again. Make sure that there's no connectivity issue between the agent machine and LDAP server.

    2. Complete Installation

      1. Click Install to finish setting up the agent. Upon successful installation, the agent will be running.
        Note: Ensure the agent machine maintains continuous network connectivity according to your organization's power-saving or login-based policies.
      2. Click  to perform the following actions:
        1. Change ownership - Switch the Zoho One admin account linked to the agent in case the original admin leaves your organization or loses LDAP access.

               

        2. Change LDAP settings - Modify your LDAP server details here. After making changes, click Update to save them.
      3. Go back to the Zoho One Admin Panel to complete the remaining setup.

    3. Configure Sync Options

      1. Select Organizational Units (OUs)

        1. From the Zoho One's Directory Stores, navigate to Active Directory.
        2. Choose which OUs you want to sync to Zoho One.
        3. Select object types to include:
          1. Users
          2. Groups
          3. Security Groups
          4. Custom LDAP Query - Enter a valid LDAP query and click Save to sync based on specific LDAP attributes.
        4. Review the chosen OUs:
          1. Edit or remove any of those existing OU preferences.
          2. To add more OUs, click Add OUs.
          3. When you're done, click Add and Continue.

      2. Map Zoho One fields with your LDAP fields

        1. This is important for making sure user data is correctly transferred.
        2. Toggle between User Mapping and Group Mapping.
        3. Fields will be auto-suggested, but you can map them manually.
        4. Use the tabs to filter by All Fields, Mapped, or Unmapped fields. For example, you can map the Zoho One "Last name" field to your LDAP "Surname" attribute.
        5. For custom attributes:
          1. Click Edit next to one of the default attributes displayed.
          2. Select Custom AD attribute.
          3. Enter a name for the attribute and save it.

      3. Define Sync Criteria

        1. On the SET SYNC CRITERIA screen, specify which users or groups should be included in the sync. Switch to the Groups tab if needed.
        2. Select import type: Based on criteria / All users
        3. If using criteria: Define Field, Relationship, and Value. Click Save and Next.

    4. Configure Sync Settings

      1. Password Sync Agent (Separate installation)

        1. The main Identity Connect Agent, when coupled with your Active Directory details, allows you to deploy multiple Password Sync Agents (one per Domain Controller) to instantly capture any password change made on these Domain Controllers and securely sync those changes to Zoho One.
        2. Prerequisites to use the Password Sync Agent:
          1. Use an LDAP account with Domain Admin-level privileges. The same account credentials provided during the Identity Connect setup will be used for this installation.
          2. Ensure Powershell remoting (WinRM) is enabled on every Domain Controller where you plan to install the Password Sync Agent. You need not enable WinRM on Domain Controllers where the agent will not be installed. Learn how to enable WinRM
          3. Ensure SMB (Server Message Block) is enabled on both the machine initiating the installation and the target Domain Controller and is also allowed through the firewall (SMB typically uses port 445). Learn how to detect and enable SMB
          4. The machine with the Identity Connect Agent must be bound to the Active Directory domain.
        3. To enable:
          1. Enable the toggle to sync the user passwords securely from Active Directory to Zoho One. (Domain Name is auto-filled based on the info you entered for the Identity Connect Agent installation.)
          2. Select the Domain Controllers where password sync is needed and make sure all of them meet the exclusive requirements to house this agent.
            Info
            The Zoho Directory Identity Connect agent transfers the Password Sync Agent installer file to the selected Domain Controller over SMB. If SMB is disabled or blocked, the file transfer will fail and the installation cannot proceed.
            The file being transferred is the Password Sync Agent installer MSI file (ZohoDirectory_PasswordSynchronizer.msi), which must be successfully copied from the machine where the Zoho Directory Identity Connect Agent is installed to the selected Domain Controller. SMB is only required during this file transfer stage. Once the installation is complete, SMB is no longer required.
          3. Select whether you want to auto-restart the Domain Controllers after installation. Regardless of what you choose, the password sync agent takes effect only after a Domain Controller restart.
        4. If installation fails, the installer will only display Installation failed. Most usual causes are when one or more of the prerequisites are not available:
          1. The provided account doesn't have Domain Admin rights
            Notes
            If installation fails due to insufficient privileges:
            The Password Sync Agent installation requires elevated permissions to perform remote operations such as file transfer and command execution on Domain Controllers. If the account configured in the Identity Connect Agent does not have sufficient privileges, the installation may fail.
            To resolve this:
            1. Open the Identity Connect Agent on the machine where it is installed.
            2. Update the directory credentials to an account with Domain Admin privileges.
            3. Save the changes and retry installing the Password Sync Agent from the Admin Panel.
            Updating the credentials does not require reinstalling the Identity Connect Agent. If installation continues to fail after verifying permissions, WinRM, and SMB availability, contact Zoho One Support for further assistance.
          2. WinRM is not enabled on the Domain Controller.
          3. The agent file could not be transferred to the Domain Controller because SMB service is either disabled on one of the machines or blocked by the firewall (port 445).

            Note: If a directory-synced user is deleted from Zoho One, password changes for that user in Active Directory will not sync unless the user is re-provisioned in Zoho One.

      2. User Sync Settings

        1. Configure automated rules for user account handling based on changes in Active Directory.
          Setting
          What it is for
          Options
          Password Notifications
          Decide how new users get their initial passwords
          Send email OTP to user - The new user will receive an email directly to their registered email address containing an OTP.
          Send email OTP to admin - Admin will receive the OTP or setup info, which they should then forward to the user manually.
          Don't notify - No automatic notifications are sent. An admin should manually notify the user and provide them with their login credentials through some other medium on their own.
          Status Sync

          Choose how to reflect a user's AD account status changes in Zoho One.
          Reflect - If disabled in AD, Zoho One account also gets disabled (and re-enabled if restored).
          Do nothing - Ignore AD status changes.

          If Do nothing is selected, the system will no longer manage user status. The When User Leaves Selected OU setting will be disabled and unavailable, as it requires Status Sync to be enabled. Learn more about this interactive behaviour illustrated after the table.
          Mail Notifications
          Choose whether you want to send notifications to synced users.
          Send - Sends emails to newly synced users and resend invite links to pending users.
          Don't send - No email notifications are sent to users.
          When User Leaves Selected OU
          Define what should happen in Zoho One when a user is moved out of a selected/synced AD OU.
          Disable - The user's Zoho account is auto-disabled.
          Do nothing - The user's Zoho account remains active, but will no longer be included in the future sync operations.
          Important note: There's a crucial interaction between Setting 2 and Setting 4. The When User Leaves Selected OU setting depends on Status Sync. The former is only available if the latter is set to Reflect in Zoho One. If you choose to Do nothing with status changes, the system cannot manage user status based on OU membership. Therefore, Setting 4 will be disabled altogether. For example, let's assume there's a user named Dexter in AD and see how he's affected during sync with these two settings:
          Status Sync
          When User Move Out of Selected OU
          Action performed on Dexter (in AD)
          Result (in Zoho)
          Reflect in Zoho One
          Disable in Zoho One
          Dexter is removed from OU but still active in AD
          Dexter's Zoho account is disabled (OU rule applies)
          Do nothing

          (field gets disabled with Do nothing selected)
          Dexter is removed from OU
          Dexter's Zoho account remains active but is no longer synced (because Status Sync setting is ignoring status changes, and OU-based handling is off)
        2. Reflecting hard deletion of users from Active Directory to Zoho One:
          When Zoho Directory Identity Connect is enabled, Active Directory acts as the source for user discovery. If a user is deleted or disabled in Active Directory, the corresponding action in Zoho One depends on the configured Status Sync setting.
          When Status Sync is set to Reflect, users disabled or removed in Active Directory are disabled in Zoho One. If your organization requires users to be completely deleted from Zoho One instead of just disabled, contact Zoho One Support to enable this configuration for your account. Enabling deletion propagation will permanently remove users in Zoho One when they're disabled/deleted in Active Directory.
          For step-by-step instructions on deleting users and handling ownership transfers, see How to Delete a User
          NotesNote on admin deletion: Each Identity Connect configuration is associated with a Zoho One admin. To ensure uninterrupted sync, the system will not allow the deletion or disablement of an owner-admin. You must first use the Change Ownership option in the tray app to transfer dependencies to another admin; only then can the original account be removed. You must reassign ownership to another admin. If you attempt deletion directly, the system will block the action and place them in a "delete-pending" state until all dependencies are cleared.
          1. Deleting a directory-synced user from Zoho One: Deleting a user in Zoho One does not remove the user from Active Directory.
            WarningWarning on data loss: If "Delete in Zoho One" is enabled, removing a user from Active Directory will permanently erase their Zoho mail, files, and service data. This data cannot be recovered even if the user is re-synced later from Active Directory.

            COMMON SYNC SCENARIOS AFTER USER DELETION:             The following scenarios illustrate common outcomes based on typical configurations. Actual results depend on sync criteria and status settings.

            Scenario
            Action in ZD
            Action in AD
            Manual Sync Result
            Scheduled Sync Result
            Manual re-creation
            User deleted
            User exists & meets criteria
            User appears in "Users to Create"
            User is automatically re-created
            Complete removal
            User deleted
            User deleted
            No action
            No re-provisioning (user remains deleted)
            Mixed Zoho & AD actions (or) Conflicting actions
            User deleted
            User deleted User disabled/moved out of synced OU
            Depends on Status Sync setting
            Depends on Status Sync setting

      3. Schedule Sync

        1. Set frequency (Daily/Weekly/Monthly) and time of sync. Click Save and Next.
          Changes in Active Directory or Zoho One are reflected based on the configured sync schedule and may not appear immediately.

      4. Review and Finalize Sync

        1. Review and select users from the imported list to add to Zoho One. This screen helps you with filters:
          1. New Users - Users found in your directory but not yet in Zoho One.
          2. Users to Update - Existing Zoho One users whose info will be updated from your directory in the next sync.
          3. Marked for Activation/Disable - Users who will be activated or disabled based on their status in your directory. Pay attention to this category of users before syncing in order to avoid unintended modifications to their access levels.
          4. Ignored - Users who do not meet the defined sync criteria.
        2. Click Add and Continue.
        3. Review the summary and click Finish to complete the setup. Once installed on multiple Domain Controllers, the Password Sync Agents work together under the same Identity Connect configuration, keeping all password updates in sync without extra manual steps.
At this point, you're done with the Identity Connect setup. The system will now automatically sync your AD users and groups to Zoho One based on the rules you have defined.
Additionally, you will be able to view the detailed status of both the Identity Connect Agent and the Password Sync Agent in the following formats:

Identity Connect Agent
Domain controller(s): The Domain Controllers the agent is configured to sync with.
Agent version: The current version of the agent.
Device name: The name of the machine where the agent is installed.
Status: Connected / Disconnected.
Last sync: The timestamp of the last successful sync.

Password Sync Agent
This section lists each Domain Controller and its password sync status. All agents listed here belong to the same Identity Connect set-up, making it easier to monitor multiple Domain Controllers from one place.
Status: Connected / Disconnected.
Installation status: Installation initiated / Installation complete / Installation failed

Troubleshooting the "Disconnected" Status

If the agent status shows Disconnected,
  1. Verify that the machine has active internet connectivity.
  2. Ensure the system date and time on the machine are correct.
If the status persists, contact Zoho One support