When Single Sign-On (SSO) and user sync against your directory (AD/Azure AD) is enabled, the way users are managed in the Murphy platform changes.

The most important principle is:

✅ Users are always administered in your AD - not in Murphy

Murphy cannot create, modify, or move users in your directory environment.

How does a user get access to Murphy?

Access is granted via your security groups in AD.

Step 1: Add the user to the correct security group

Example:

• Murphy-Users

Step 2: The sync will automatically retrieve the user

When the user is in the group:

• the user is created or activated in Murphy
• the user receives the correct modules/licenses as determined in advance

What does Murphy need from you?

For the sync to be correct, we need to know: 
 

1. Which modules should users get by default?

Examples of modules:

• Communication and summons
• Crisis and incident management
• Trainings
• The Crisis Framework
• Events

📌 Nothing is pre-selected from the start - you just need to say which modules should be included as standard based on your agreement.

2. How is a security group linked to the correct license?

A common question is:

How does the security group know which license to end up with?

The answer is:

➡️ The group will not automatically end up on a license until you have defined it together with Murphy.

In order for us to configure correctly, you need to tell us about:

• Which security group should be associated with which license?

📌 We recommend that you name the groups according to a clear format, e.g.:

murphy-licensename

This makes it easier to administer in the long term.

Admin permissions – do we need many groups?

No.

To avoid having too many security groups, we recommend:

• All users are synced as regular users
• Admin permissions are managed inside Murphy

Recommended working method

• A first batch of admins are set up at go-live
• After that, admins can make other users admins in Murphy themselves.

This is usually easier than creating separate AD groups per license and role.

What happens if a user already exists in Murphy?

If the user is already in the platform and is added to the sync:

✅ Permissions are not changed automatically

The sync then only connects the account to SSO login.

Example:

• An existing admin remains admin
• An existing user keeps their modules

Murphy does not “slow down” users.

Are email and phone numbers updated via sync?

The sync checks certain attributes if they change.

Email

📌 Email is the key in the system and must match.

• Email is not normally changed via sync
• Email must be correct for existing accounts to be linked to SSO

Phone number and other fields

• The phone number can be updated if it changes in AD
• The sync checks if attributes are updated.

Important: Do not add users manually via the admin function in Murphy

When sync is active, you should not use Murphy functions such as:

• Grouplicenses
• manual user assignment

Why?

• Murphy can't change anything in your AD
• All access should be controlled via security groups

User management should always be done via AD groups.

Individual user permissions can then be adjusted within Murphy as needed.