Rollout Groups
Rollout Groups let you migrate users from one Entra group to another in controlled phases, rather than moving everyone at once. This is useful when rolling out new access policies, migrating between security groups, or gradually transitioning users to a new configuration.
When to Use Rollout Groups
- Migrating users from a legacy security group to a new one without disrupting access all at once
- Gradually rolling out a new policy or application license to batches of users
- Testing changes with a small group before extending to the entire organization
- Any scenario where a staged, controlled approach to group membership changes is preferred
Setting Up a Rollout
Name and Description
Give your rollout group a clear name so it's easy to identify in the list. The description field is optional but useful for explaining the purpose of the migration.
Source and Target Groups
Start by selecting the source group (where users currently are) and the target group (where they should end up). You can also create a new Entra Security Group directly from this form if you need a new target. Adcyma will move users from source to target across the stages you define.
Configuring Stages
Set the number of stages for the rollout. Adcyma divides the users evenly across all stages automatically. For example, with 100 users and 4 stages, each stage will move approximately 25 users.
Set the total rollout duration and choose a unit (hours or days). This is the full time span of the migration. The waiting period between stages is calculated automatically based on the total duration and number of stages.
These natural checkpoints give you time to verify everything is working before the next batch of users is moved.
Triggering the Rollout
You can start a rollout in two ways:
Manual Start each stage by hand when you're ready. This gives you full control and is ideal for high-stakes migrations.
Scheduled Set a start date and time and let stages execute automatically based on the configured durations. Use this for lower-risk migrations where you're confident in the configuration.
Pause is only available in scheduled mode. Manual rollouts don't support pausing between stages.
Monitoring Progress
Once a rollout is in progress, you can track it from the sidebar. Each saved rollout shows its current progress. Click into it to see:
- Which stage is currently active
- How many users have been moved so far
- How many users remain
- The scheduled time for the next stage (if using scheduled mode)
If something goes wrong, you can pause the rollout before the next stage executes.
Best Practices
- Start with a small number of stages to validate that the migration works as expected before going broad.
- Allow enough time between stages to gather feedback from users and verify that access is working correctly.
- Use manual triggering for the first rollout of a new type, then switch to scheduled mode once you're confident in the process.
- Communicate the rollout schedule to affected users so they know when to expect changes.
- Keep the source group intact until the rollout is fully complete and verified. This makes it easier to roll back if needed.
Troubleshooting
If users aren't moving between stages:
- Verify the rollout hasn't been paused
- Check that the source group still contains the expected members
- Confirm the target group exists and Adcyma has permissions to modify its membership
If a stage completes with fewer users than expected:
- Some users may have already been removed from the source group
- Check for membership changes that occurred outside of Adcyma
If you need to stop a rollout:
- Pause the rollout from the monitoring view
- Users already moved to the target group will stay there. You'll need to move them back manually if needed.