We have some core trainings that we require employees to do before they get access to certain systems at our company. If the Active Directory Sync was 2-way, such that we knowbe4 would push group membership of certain groups back to Active Directory, we could automatically grant access in these systems once someone completes their training.
Mandatory training campaign is rolled out for group "mandatory-training" and once users complete they are added to "mandatory-complete" group. "mandatory-training" group is sync'ed AD -> knowbe4. "mandatory-complete" group is sync'ed knowbe4 -> AD.
Once a user completes the training the are added automatically to mandatory-complete which is then sync'ed to AD and access to various systems is granted.