I have hard Deleted a user form Entra ID and they will not get recreated with Auto provisioning

Question

I have hard Deleted a user form Entra ID and they will not get recreated with Auto provisioning

Steve 5

So I had a user that had created an account before we setup Entra ID. I have set up auto user provisioning with Google Workspace to Entra ID and this works. By adding a user to a Group in Google Workspace they are Auto provisioned in Entra ID. So I was haivng issues with one user account in Entra ID so I hard deleted it and then i was hoping that auto provision would recreate to user again in Entra ID. Problem is that I am getting no error and the user is not being created. Any idea where to look to see what the issue is?

Carlos Solís Salazar 18,201 Reputation points MVP Volunteer Moderator

2023-12-05T20:35:51.37+00:00
here are some steps you can take to investigate and potentially resolve the issue:

Check Provisioning Logs in Entra Identity Governance:

Go to the Azure portal and navigate to Microsoft Entra Identity Governance.

Look for the provisioning logs. These logs provide details on the provisioning process, including successes and failures.

Review Google Workspace Configuration:

Ensure that the user is correctly added to the specific group in Google Workspace that triggers the auto-provisioning.

Check if there are any specific attributes or settings in Google Workspace that might be preventing the user from being synced.

Examine User Attributes:

Sometimes, missing or incorrect user attributes (like email addresses or usernames) can prevent provisioning.

Verify that all required attributes for the user are correctly set in Google Workspace.

Review Hard Delete Implications:

Understand that when you hard delete a user in Entra Identity Governance, there might be a delay or additional steps needed before the user can be re-provisioned.

Check if there are any remnants of the old user account in Entra Identity Governance that might be causing conflicts.

Check Provisioning Settings in Entra Identity Governance:

Review the auto-provisioning settings to ensure they are correctly configured to sync with Google Workspace.

Sometimes, making a minor change and saving the settings again can help reset the provisioning process.

Synchronization Schedule:

Auto-provisioning processes often run on a schedule. Make sure you are aware of this schedule and have waited a sufficient amount of time for the process to run.

Manually Trigger a Provisioning Cycle:

If possible, try manually triggering a provisioning cycle from within Entra Identity Governance and monitor what happens with the user account in question.

Remember, the integration of different platforms for user provisioning can sometimes be complex, and issues can arise from a variety of sources. Careful examination of logs, settings, and user attributes is often key to resolving these issues.
Steve 5 Reputation points

2023-12-05T20:52:08.38+00:00

Thanks For the reply, when I go to Azure ID in my portal I set the filter to the last 7 days and it's empty. I know I have provisioned 2 users yesterday that are not showing up here! So there is nothing in those logs, this user was provisioned automatically by the Auto Provision but user kept haveing the weirdest lopping logings to teams so I thought I would delete the account and try again! SO I know their account has no issues on Google Workspace side and it provisioned in the past. I am just kind of stuck as to how you would re-provision a user. I cant manually create the user either in Entra ID becuase i get the error "SourceAnchor is a required property for creation of a federated user" I am kind of stuck.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2024-01-11T01:03:16.53+00:00

Hello @Steve , is this outbound provisioning (Entra ID to Google) or inbound (Google to Entra ID)?

2 answers

Your answer

Steve 5 Reputation points

2023-12-05T20:52:08.38+00:00

Thanks For the reply, when I go to Azure ID in my portal I set the filter to the last 7 days and it's empty. I know I have provisioned 2 users yesterday that are not showing up here! So there is nothing in those logs, this user was provisioned automatically by the Auto Provision but user kept haveing the weirdest lopping logings to teams so I thought I would delete the account and try again! SO I know their account has no issues on Google Workspace side and it provisioned in the past. I am just kind of stuck as to how you would re-provision a user. I cant manually create the user either in Entra ID becuase i get the error "SourceAnchor is a required property for creation of a federated user" I am kind of stuck.
Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,526 Reputation points Moderator

2024-01-11T01:03:16.53+00:00

Hello @Steve , is this outbound provisioning (Entra ID to Google) or inbound (Google to Entra ID)?

Answer 1

Today I had the same issue as described above by Steve.

The user provisioned from Google Workspace to EntraID was deleted in EntraID. After the redemption period it was deleted permanently, so not recoverable.
Syncing this user freshly from Google Workspace wasn't working as I got the error '45010, Please restore this deleted user from Office 365 Admin Console.' However this user was not recoverable.
Creating a new user in EntraID was not possible as you can't create new users with a domain that is federated.

What worked for me:

Create a new user to replace the deleted user in EntraID that will use the UPN 'onmicrosoft.com' domain.
Change the UPN and UnmuttableID using the Microsoft Graph Powershell Module to the federated domain.
- Connect-MgGraph -Scopes "User.ReadWrite.All", "Group.ReadWrite.All"
- Update-MgUser -UserId '<username>@<domain>.onmicrosoft.com' -UserPrincipalName '<username>@<federateddomain.com>' -OnPremisesImmutableId '<username>@<federateddomain.com>'
E.g. if your Google Workspace domain is: 'contoso.com' you will create a new user in EntraID '@contoso.onmicrosoft.com' and use PowerShell to rename it to '@contoso.com' and set the ImmutableID.
After creating the user and setting the Immutable ID run the Sync in Google Workspace to sync the users. You see now that the other user properties like name etc. are synced.
After that I could login again on office.com using the Google Workspace account.

Dan Thomas 0 Reputation points

2025-06-23T13:05:48.61+00:00

Adding on to Lars answer the reason why that command works is because if you try to create a new federated user you can by using the following command:

$sourceAnchor = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes("******@domain.com"))

New-MgUser -AccountEnabled -DisplayName "First Last" -MailNickname "username" -UserPrincipalName "******@domain.com" -OnPremisesImmutableId $sourceAnchor -UserType "Member" -UsageLocation "US"

But the account will not properly link up with Google... However I realized that after you have performed this task you can then run an update and the account will link.

Update-MgUser -UserId '<username>@<domain>.com' -OnPremisesImmutableId '<username>@<federateddomain.com>'

Basically when creating a new account it will only allow you to put in a encrypted source anchor for a new account using new-mguser. This is what Microsoft uses to sync for Entra ID Connect. But Google doesn't want that and will not work with the encrypted form.

Update-MgUser allows you to use a non-encyrpted immutable ID which then allows the account to be properly linked.

Answer 2

Thameur-BOURBITA 36,261 Moderator

Hi @Steve •

You should start by checking if all prerequisites mentioned on the article below are configured :

Tutorial: Configure G Suite for automatic user provisioning

Please don't forget to accept helpful answer

Steve 5 Reputation points

2023-12-06T14:17:26.4866667+00:00

Yes all prereq are done, as mentioned in the OP other users are syncing and they user was orginally synced but was having issues so all the steps are done to sync users properly

Share via

I have hard Deleted a user form Entra ID and they will not get recreated with Auto provisioning

2 answers

Your answer