Hello – we’ve been asked to setup a deprovisioning setup in Azure AD (Entra AD), users are in Entra, target system is a custom app with a SCIM 2.0 compliant api.
Here's what we have done:
- Created an enterprise app
- In that enterprise app, under Provisioning, we've added the Admin credentials, both url and token, and the test works fine
- Added a user under 'Users and Groups' to the application
- In 'Provision on demand', we've created that user in the target system, it works fine.
- In 'Users and Groups', remove the user we added before
- Return to 'Provision on demand' and then try to provision that user. It says the user was skipped because it wasn't assigned to the application. Unfortunately, that means that it wasn't de- provisioned from the target system. This is the problem, we need the user to be deprovisioned.
- We verified all the steps in the following page were followed, under the heading of ‘Deprovisioning’, including that ‘Update’ was selected: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/how-provisioning-works
Here are some other things we've tried:
- We've tried 'Sync all users and groups', but that doesn't send the deprovision either, as all users and groups will always be in scope.
- We tried turning on ‘SkipOutOfScopeDeletions’ to ‘False’, but that didn’t help, still skipped
- We tried using dynamic groups to add and remove users from, didn’t help, still skipped
- We have created support tickets in azure and talked to MS support, but they didn’t know how to fix it either.
The reason I believe this should work comes from this page: https://learn.microsoft.com/en- us/entra/identity/app-provisioning/provision-on-demand?pivots=app- provisioninghttps://learn.microsoft.com/en-us/entra/identity/app-provisioning/provision-on- demand?pivots=app-provisioning
near the end it says: "On-demand provisioning supports disabling users that have been unassigned from the application. However, it doesn't support disabling or deleting users that have been disabled or deleted from Microsoft Entra ID. Those users don't appear when you search for a user."
Unfortunately, no matter what we try, the user is always skipped, whether in ‘Provision on demand’ or via the regular provisioning process. We’re looking for either the Http Delete message to be sent, or the Http Patch with the active flag set to ‘false’.