Update -- 

I discovered a method to get a user in the tenant using lookup by email, without having to loop through all the users.  I don’t know why I didn’t see this before, but there is a Filter in the “Get Users In Tenant” action.

This has helped reduce the number of steps in my workflow and it allows my workflow to complete without failure.

What might help next is to allow me to check if a user is a member in the Nintex group, without having to loop through all the users in the group.  I am working on that now.  Any suggestions?

Update -- 

I now have a new method for getting the users, except I don’t have to call the Nintex NAC Xtension / API. This optimizes even more.  My workflow went from double-digit runtime (minutes) to single digit runtime.  I’ll post updated screenshots below.

Here’s a new summary of the steps.

Action 1 - Get all the members of the AD group.

Action 2 - Get all the Nintex Groups in the tenant (because I don’t yet know a method to get a Nintex Group by name without looping through all the groups).

Action 3 - Loop through each Nintex Group.

Action 4 - If one Nintex Group name matches the group name we want, then run this next step:

Action 5 - Loop through each member of the AD group.

Action 6 - (Re)set a Flag to False, for use later.

Action 7 - Get Users in Tenant (Filter by Email) - we only want 1, but it returns as a collection object.

Action 8 - Loop for each Nintex user in that collection object.

Action 9 - Set a Flag to Yes, for use later.

Action 10 - Set a Flag to Yes that we found a user, so that we can exit the loop above when done processing this user.

Action 11 - Loop for each Nintex user in the Nintex group.

Action 12 - Run if true, if the Id of this member of the Nintex group matches the Id of the user found that we are looping through in the AD group (from Action 5), AND isMember is Yes.

Action 13 - Run if true, if isOwner is NOT Yes OR isOwner has no value.

Action 14 - Set the Flag so we can exit the loop later.

Action 15 - Run if true, if we did not find that the user was a member of the Nintex group, run the next step.

Action 16 - Add user into Nintex group.

Action 17 & beyond, if we did not find a user all all, run steps to create the user (Get First Name & Last Name from AD), then add user into Nintex group.

Plus, Loop through the Nintex group to find users who should not be in the group (they are no longer in the AD group), then remove from Nintex group.

Compile a text string of all the changes for each scenario and output it so that it can be displayed in an email (a separate "dispatcher" workflow does this).

What would be great, though, is when it gives me the Nintex Group object, if I could store it as text an run it through the Query JSON action.

Currently, it won’t allow me to do it. Here’s what I mean:

This workflow runs action Get Groups in Tenant and starts a loop for each.

Before the loop, I can display the text of the whole Groups object.  It displays as JSON, except with some of the quotes escaped by the \ character.  So “ would appear as \” and if I wanted to do something with it in Query JSON, I would have to get rid of those quotes first.

i"{\"users\":"{\"isMember\":true,\"id\":\"auth0 …

But after the loop,

if I try to display the individual Group object, it will not let me.  I can only display the elements (but I can display the Users object, the collection within a collection!).

If I could have it display that individual Group object, and have it nicely formatted for JSON (none of those escaped quotes), then I can easily use a JSONPath expression to extract the data I want, without having to loop through the Users collection separately.

I will be adding an idea to Nintex Ideas for this.

When loop through Get Nintex Groups, allow Insert of whole Group object