This depends on the version you are using. We added support for this use case with LTS version 7.0.12 and LE version 7.4.
You can change the default behavior by specifying the following properties:
**LTS version 7.0.12 and later:**
Add the additional system property `-Dch.ivyteam.ivy.security.internal.jndi.import.ondemand=true` to `ivy.vm.additional.options` in your Engine .ilc file. This property defines the default behavior of the engine.
If you want to override the default behavior for a specific application, you need to add an additional system property `-Dch.ivyteam.ivy.security.internal.jndi.import.ondemand.[app_name]=[true | false]` in your .ilc file.
**LE Version 7.4 and later:**
Add the following properties to the configuration of your security system (see [engineDir]/configuration/defaults/[ivy.securitysystem.yaml][1])
Import:
# Should users be imported on demand or by the synchronizing job.
# If OnDemand is set to:
# true: then users are not imported by the synchronization job.
# Instead, a user is imported the first time she logs in.
# false: then users are imported by the user synchronizing job.
# If a user was not yet imported by the user synchronization job she is also
# imported the first time she logs in.
OnDemand: true
**Note:** While in 7.0.12+ the system property `ch.ivyteam.ivy.security.internal.jndi.import.ondemand` is valid system wide defines the default behavior for all security systems, systems on an engine, in 7.4+ the `Import.OnDemand` property needs to default behavior cannot be set for each security system.changed and is always `false`.
[1]: https://developer.axonivy.com/doc/dev/engine-guide/configuration/files/ivy-securitysystem-yaml.html
