Deprovisioning not working in Azure AD

Dan Butterfield 0 Reputation points
2024-07-23T16:04:11.7533333+00:00

Hello – we’ve been asked to setup a deprovisioning setup in Azure AD (Entra AD), users are in Entra, target system is a custom app with a SCIM 2.0 compliant api.

Here's what we have done:

  1. Created an enterprise app
  2. In that enterprise app, under Provisioning, we've added the Admin credentials, both url and token, and the test works fine
  3. Added a user under 'Users and Groups' to the application
  4. In 'Provision on demand', we've created that user in the target system, it works fine.
  5. In 'Users and Groups', remove the user we added before
  6. Return to 'Provision on demand' and then try to provision that user. It says the user was skipped because it wasn't assigned to the application. Unfortunately, that means that it wasn't de- provisioned from the target system. This is the problem, we need the user to be deprovisioned.
  7. We verified all the steps in the following page were followed, under the heading of ‘Deprovisioning’, including that ‘Update’ was selected: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/how-provisioning-works

Here are some other things we've tried:

  1. We've tried 'Sync all users and groups', but that doesn't send the deprovision either, as all users and groups will always be in scope.
  2. We tried turning on ‘SkipOutOfScopeDeletions’ to ‘False’, but that didn’t help, still skipped
  3. We tried using dynamic groups to add and remove users from, didn’t help, still skipped
  4. We have created support tickets in azure and talked to MS support, but they didn’t know how to fix it either.

The reason I believe this should work comes from this page: https://learn.microsoft.com/en- us/entra/identity/app-provisioning/provision-on-demand?pivots=app- provisioninghttps://learn.microsoft.com/en-us/entra/identity/app-provisioning/provision-on- demand?pivots=app-provisioning

near the end it says: "On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Microsoft Entra ID. Those users don't appear when you search for a user."

Unfortunately, no matter what we try, the user is always skipped, whether in ‘Provision on demand’ or via the regular provisioning process. We’re looking for either the Http Delete message to be sent, or the Http Patch with the active flag set to ‘false’.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,655 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,161 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akhilesh Vallamkonda 10,325 Reputation points Microsoft Vendor
    2024-07-25T16:01:03.1466667+00:00

    Hi @Dan Butterfield

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue:Deprovisioning not working in Azure AD It says the user was skipped because it wasn't assigned to the application.

    Solution:

    In your 'get' scim call that wasn't returning the object, the deprovisioning process makes that call first, that issue has been resolved.

    If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.