Azure AD SCIM not sending Delete Requests

Rahul 236 Reputation points
2020-01-21T19:35:30.017+00:00

Hi,

As per Microsoft Documentation, SCIM should send Delete requests on user deletion.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups#delete-user

Tried SoftDeleting a user still no Delete requests from SCIM.
Tried Permanent Delete for a user still no Delete request received from SCIM.

The issue is if the user is in disabled state he is getting Deleted from the application. It should trigger Delete Request only in case of Soft delete or Hard Delete.

Any suggestions here ? How to receive or trigger Delete Requests via SCIM

Similar Query was asked on the forum but no verified answer: (https://social.msdn.microsoft.com/Forums/azure/en-US/170a0b6b-c728-4af7-8cde-84787bc38c19/in-azure-ad-scim-delete-call-does-not-happen-when-user-is-unassigned-from-the-app?forum=WindowsAzureAD)

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,473 questions
Accepted answer
  1. AmanpreetSingh-MSFT 56,306 Reputation points
    2020-01-23T06:02:49.88+00:00

    @Rahul Users in soft deleted state are disabled in the connected application. After 30 days when the user is hard deleted from Azure AD, it is deleted from connected application. This depends on the IsSoftDeleted attribute mappings, which is used to determine the state of the user and whether to send an update request with active = false to soft delete the user. To see this setting, navigate to:

    Azure Portal > Azure Active Directory > Enterprise applications > your_application > Provisioning

    On the provisioning blade, if you click on Mappings drop down and click on Synchronize Azure Active Directory Users to your_application, there must be an expression for IsSoftDeleted attribute. For example, in Salesforce Sandbox app, the expression looks like:

    Not([IsSoftDeleted]) attribute in AAD maps to IsActive attribute in Salesforce.

    This means, if the user is not in soft deleted state in AAD, it will be in active state in Salesforce. If you soft delete the user, it will not be active in Salesforce and will be marked as inactive/disabled.

    You an change this setting and instead of IsSoftDeleted attribute use any other attribute such as accountEnabled.

    You can try setting SkipOutOfScopeDeletions to 1 (true), then accounts that go out of scope will get not be disabled in the target This flag is set at the Provisioning App level and can be configured using the Graph API. For the step-by-step instructions, please refer to https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/skip-out-of-scope-deletions

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Aldrin Kazuhiko Song 1 Reputation point
    2020-06-16T18:20:37.777+00:00

    Hi,

    Did you try to wait for a normal interval? as per checking it is working if you wait for the normal provisioning interval not the manual run.

    0 comments