Hello @mikek8877 Yes, you got it correct. Generally, in AEM when a user sync happens and the user is part of a group, the group would be synced. You need to define group member attribute. You can also put a debug level logger on org.apache.jackrabbit.oak.security.authentication.ldap and check what ...