# Directory Sync

**Directory Sync** is the process of synchronizing external directory data from your identity provider into the Enterprise Console. This document discusses how directory sync works in Pomerium and its use cases.

**Directory Sync** is a Pomerium Enterprise feature. [Contact us](https://www.pomerium.com/enterprise-sales/) to upgrade today.

**Directory Sync** integrations in the Enterprise Console are only available for certain identity providers. See [**IdP Options**](#idp-options) below for more information.

## Directory sync in the Enterprise Console

To start a directory sync in the Enterprise Console:

1. Go to the **Identity Providers** tab
2. Select your **Identity Provider**
3. Next to **IDP Options**, fill out the required fields (see [**IdP Options**](#idp-options) below for more information)
4. In the [**Polling Min Delay**](https://www.pomerium.com/docs/reference/identity-provider-settings.md#identity-provider-polling-minmax-delay) and [**Polling Max Delay**](https://www.pomerium.com/docs/reference/identity-provider-settings.md#identity-provider-polling-minmax-delay) fields, keep the default durations
5. Select **SAVE SETTINGS** \[Selecting the Identity Providers tab in Enterprise Console for a directory sync]

Once you save your settings, it may take awhile for the sync to complete. Go to [**Monitor directory sync**](#monitor-directory-sync) for more information.

### Monitor directory sync

The Enterprise Console polls the identity provider data source based on the durations defined in the **Polling Min Delay** and **Polling Max Delay** fields.

See [**Identity Provider Min/Max Delay**](https://www.pomerium.com/docs/reference/identity-provider-settings.md#identity-provider-polling-minmax-delay) for more information on how to monitor directory sync.

### IdP Options

The requirements and instructions for directory sync vary depending on the identity provider. You can view the **IDP Options** for an identity provider in the Enterprise Console, or refer to the relevant identity provider guide for vendor-specific steps:

- [Auth0](https://www.pomerium.com/docs/integrations/user-identity/auth0.md)
- [Blob](https://www.pomerium.com/docs/integrations/user-identity/blob.md)
- [Cognito](https://www.pomerium.com/docs/integrations/user-identity/cognito.md)
- [Microsoft Entra ID (Azure AD)](https://www.pomerium.com/docs/integrations/user-identity/azure.md)
- [GitHub](https://www.pomerium.com/docs/integrations/user-identity/github.md)
- [GitLab](https://www.pomerium.com/docs/integrations/user-identity/gitlab.md)
- [Google](https://www.pomerium.com/docs/integrations/user-identity/google.md)
- [Okta](https://www.pomerium.com/docs/integrations/user-identity/okta.md)
- [OneLogin](https://www.pomerium.com/docs/integrations/user-identity/one-login.md)
- [Ping](https://www.pomerium.com/docs/integrations/user-identity/ping.md)

## How to use directory sync

### Directory data as policy criteria

After a successful sync, directory data sourced from your identity provider will be available in the Enterprise Console. You can use this data as context in your authorization policies to control which users and groups can access upstream applications and services: \[Using directory sync group data as criteria in the Enterprise Console PPL builder]

### Device enrollment

Administrators can generate custom device registration links for users within their directory: \[Generating device registration links for users in the Enterprise Console]

See [**Device Identity**](https://www.pomerium.com/docs/integrations/device-context/device-identity.md) for more information on how to enroll and manage devices in the Enterprise Console.
