Abstract
This document discloses, in enabling detail, a computer-implemented method and system for reconciling an external identity-directory group (for example an Entra/Azure AD or LDAP security group) into a local authorization store while remaining fail-closed under partial data. The central mechanism derives a single boolean completeness verdict from the paging protocol itself — the act of following continuation tokens to exhaustion — rather than from the magnitude of the change the reconcile would produce. Any page fault, timeout, malformed page, or continuation overrun poisons the verdict to incomplete. The reconciler then degrades asymmetrically: additive membership grants are always applied, but every revocation is suspended for the duration of an incomplete read. A second, independent percentage rail refuses any revoke batch that would remove more than a bounded fraction of the group's current members in a single tick, even when the read was complete. Membership is keyed by a resolved local principal identifier, and mirror rows that merely round-trip a user-principal-name are rejected so a raw UPN is never written into the authorization set. Disabled accounts drop on the next sync; the hot authorization path reads a freshness-bounded mirror that fails closed when stale. The disclosure establishes dated public prior art over this integrity-derived asymmetric-degradation mechanism.
Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 License.
Recommended Citation
Assuncao, gustavo matthew, "Completeness-Flagged Directory Reconciliation with Adds-Only Degradation and Dual Revoke Rails", Technical Disclosure Commons, (July 13, 2026)
https://www.tdcommons.org/dpubs_series/10883