That message is being generated by the external SCIM server that AAD Provisioning is communicating with. It sounds like it doesn't like the attempts at disabling the user.
To touch on what can lead to a user being disabled - any of:
- The user was unassigned from the application/removed from any groups assigned to the application
- The user was disabled in AAD
- The user was soft-deleted in AAD (i.e.: recycle bin)
- The user was filtered by scoping filters
The error response code is interesting - 409 is usually used for conflicts during creation. Do the audit logs in AAD say that a user was trying to be created or updated? If a user is trying to be created with active = false, your mappings may be misconfigured for the active attribute. Typically it should be Not([isSoftDeleted]) -> active.