OpenID Connect Account Disablement/Deletion

Momchil Atanasov 21 Reputation points
2020-12-14T13:30:17.69+00:00

Hi all,

When integrating with Azure AD over OpenID Connect in order to get federated authentication, is there some mechanism to get notifications when a user has been disabled/deleted in Azure AD?

It seems that the official way is through the Secure Event Token specification in combination with the OpenID Connect's RISC Events. However, I have only found one Identity Provider that has documented support for this mechanism. Does Azure AD have something similar or is there an alternative approach to achieve this?

Some more context: Once I user has authenticated against Azure AD over OpenID Connect, I would like to be able to provide services to the user that should be disabled once the user has been disabled/deleted in Azure AD. An example might be a long-running process that needs to be stopped and that outlasts the user's session or data that needs to be cleaned up.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,807 questions
0 comments No comments
{count} votes

Accepted answer
  1. 2020-12-15T00:12:12.25+00:00

    Hello, you can use the Microsoft Graph API to get notified of changes in Azure AD users. Please take a look to Set up notifications for changes in user data.

    Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.


1 additional answer

Sort by: Most helpful
  1. 2020-12-15T16:21:07.513+00:00

    Hi @Momchil Atanasov , you can do both, all users or specific users. You can use an access token issued for MS Graph (as resource) using the implicit flow, authorization code flow, ropc flow, client credentials (authenticate as the application) flow or on behalf of flow. To create a subscription you need to be granted the User.Read.All scope (if authenticated as a user) or role (of authenticated as an application.

    Please let me know if you need more help. If the answer was helpful to you, please accept it and, optionally, provide feedback so that other members in the community can benefit from it.