Share via

SCIM Provisioning soft-delete (inactive user) issue

Chris Harris 0 Reputation points
2023-05-04T13:16:15.14+00:00

I have users that I am attempting to have the active status set to false in the target user roster. My attribute mapping is set to Not([IsSoftDeleted]) -> active. When the user is updated to be inactive (Account enabled is unchecked in users), the provisioning service will not send a message to the target user roster. I only get the message below. I have restarted the provision service with the same results. Is there a way to reset Azure's understanding if a soft-deletion was previously processed?

Message from logs:
The User '******@ZZZZZZ.COM' was evaluated to be soft-deleted in the source system and the provisioning service should soft-delete the target entry. However, the soft-deletion has been processed by the provisioning service previously. The soft delete operation will be skipped.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Danny Zollner 10,826 Reputation points Microsoft Employee Moderator
    2023-05-04T16:21:32.98+00:00

    I do not believe you can reset this, short of re-enabling the users in AAD, letting provisioning process them, and then disabling them again. The message you're seeing effectively means that the switch from entitled -> not entitled (active true -> false, in this case..) was already observed and processed. Was the mapping for the SCIM active attribute different in the past? I've seen people fall into this situation by changing to a bad mapping, such as accountEnabled -> active, and then trying to remove the user from scope via some other method besides accountEnabled = false, such as unassigning from the application.

    Was this answer helpful?

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.