SCIM Provisioning soft-delete (inactive user) issue

Chris Harris 0 Reputation points
2023-05-04T13:16:15.14+00:00

I have users that I am attempting to have the active status set to false in the target user roster. My attribute mapping is set to Not([IsSoftDeleted]) -> active. When the user is updated to be inactive (Account enabled is unchecked in users), the provisioning service will not send a message to the target user roster. I only get the message below. I have restarted the provision service with the same results. Is there a way to reset Azure's understanding if a soft-deletion was previously processed?

Message from logs:
The User 'ZZZZ@ZZZZZZ.COM' was evaluated to be soft-deleted in the source system and the provisioning service should soft-delete the target entry. However, the soft-deletion has been processed by the provisioning service previously. The soft delete operation will be skipped.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,470 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Danny Zollner 9,521 Reputation points Microsoft Employee
    2023-05-04T16:21:32.98+00:00

    I do not believe you can reset this, short of re-enabling the users in AAD, letting provisioning process them, and then disabling them again. The message you're seeing effectively means that the switch from entitled -> not entitled (active true -> false, in this case..) was already observed and processed. Was the mapping for the SCIM active attribute different in the past? I've seen people fall into this situation by changing to a bad mapping, such as accountEnabled -> active, and then trying to remove the user from scope via some other method besides accountEnabled = false, such as unassigning from the application.

    1 person found this answer helpful.