In my current position I manage a vRealize Automation environment which is also connected to a vRealize Orchestrator server.
The vRO server is using vRA as the Identity Provider.
For some reason new accounts were not able to log in to the vRO client.
So the first thing we checked was the synchronization with Active Directory in the vRA. Everything looked fine (green checkmark).
But the problem was not in the synchronization in the tenant I was working in. It was in the default tenant.
This synchronization was running every week but stopped working. The reason had to do with the Safeguards.
Sync Safeguards limits the number of changes that can be made to the User and Groups when the directory syncs.
Synchronization fails if the changes are more than the percentage that is set.
After manually starting the sync and overwriting the safeguard the new users were added and were able to log in.