Bentley now supports sync'ing groups in Active directory with IMS groups. Eventually this will enable Projectwise permissions to be determined by group membership in your IdP - but that is still in development.
Nonetheless, I suggest you look into federation with Bentley IMS. The best way to get full control over your IMS security (specifically password policy and MFA) is via federation with Bentley IMS. Users are auto-provisioned via JIT provisioning, and automatically lose access once you disable or remove them from your IdP, so federation increases security while reducing your maintenance overhead time. And for the end user, it's one less password to remember (...or you to reset.)
Bentley now supports sync'ing groups in Active directory with IMS groups. Eventually this will enable Projectwise permissions to be determined by group membership in your IdP - but that is still in development.
Nonetheless, I suggest you look into federation with Bentley IMS. The best way to get full control over your IMS security (specifically password policy and MFA) is via federation with Bentley IMS. Users are auto-provisioned via JIT provisioning, and automatically lose access once you disable or remove them from your IdP, so federation increases security while reducing your maintenance overhead time. And for the end user, it's one less password to remember (...or you to reset.)
There is more information on our federation landing page, and a very small service request form there to start the engagement.