SCIM Provisioning soft-delete (inactive user) issue

Chris Harris 0 Reputation points
2023-05-04T13:16:15.14+00:00

I have users that I am attempting to have the active status set to false in the target user roster. My attribute mapping is set to Not([IsSoftDeleted]) -> active. When the user is updated to be inactive (Account enabled is unchecked in users), the provisioning service will not send a message to the target user roster. I only get the message below. I have restarted the provision service with the same results. Is there a way to reset Azure's understanding if a soft-deletion was previously processed?

Message from logs:
The User 'ZZZZ@ZZZZZZ.COM' was evaluated to be soft-deleted in the source system and the provisioning service should soft-delete the target entry. However, the soft-deletion has been processed by the provisioning service previously. The soft delete operation will be skipped.

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,761 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Danny Zollner 7,016 Reputation points Microsoft Employee
    2023-05-04T16:21:32.98+00:00

    I do not believe you can reset this, short of re-enabling the users in AAD, letting provisioning process them, and then disabling them again. The message you're seeing effectively means that the switch from entitled -> not entitled (active true -> false, in this case..) was already observed and processed. Was the mapping for the SCIM active attribute different in the past? I've seen people fall into this situation by changing to a bad mapping, such as accountEnabled -> active, and then trying to remove the user from scope via some other method besides accountEnabled = false, such as unassigning from the application.

    0 comments