Existing users domains not matching when added

[helendduncan]

✅ Checklist

• I have searched open and closed issues for duplicates.
• This is a problem observed when managing a Data Safe Haven.
• I can reproduce this with the latest version.
• I have read through the documentation.
• This isn't an open-ended question (open a discussion if it is).

💻 System information

• Operating System: macOS
• Data Safe Haven version: 5.0.1

📦 Packages

List of packages

Paste list of packages here

🚫 Describe the problem

A test SRE was sucsessfully deployed and two users were added to it via the CLI.
One user (Bob Smith) had a bob.smith@prod4... Entra user which was updated. The second user (James Allen) did not, and their Entra user was created.

Both Bob and James were added to the test SRE users group - however Bob, with the prod4 account, couldn't see any connections the guacamole interface.

This is because the domain doesn't match the expected domain.

🚂 Workarounds or solutions

Manually editing Bob's User principal name Domain via Entra allowed access, but would need to be manually edited for all users who had accounts from previous iterations of DSH

[JimMadge]

I think this is working as intended. I don't think we would want the add command to modify existing users primary domain, at least not without a guard.

What behaviour would you want?

Perhaps the CLI should close with an error if a user already exists, or already exists and isn't an "SRE user".

[JimMadge]

Also worth clarifiying,

• We imagine one SHM per Entra (although not strictly required)
• Users belong to a SHM domain
• SREs belong to one and only one SHM
• Users can be registered to multiple SREs in on the SHM they exist in
• Users cannot be registered to an SRE in a different SHM