Azure GCP provisioning connector can't delete groups from Google workspace

Darryl Coombs 0 Reputation points
2024-09-06T13:01:15.57+00:00

Azure synchronizes users and groups from our Active Directory and the GCP provisioning connector synchs these users and groups to Google Workspace. Everything works fine except for group deletion. When a group is deleted from AD it is also deleted from Azure, but when the connector tries to remove the group from Google workspace we get this error in the provisioning log:

Google does not support reversible (or "soft") deletes for this type of object. An irreversible (or "hard") delete will not be requested, precisely because the result of such a request is not reversible. One is advised to manually delete the entry in Google if, indeed, an irreversible delete is deemed desirable in this case.

Our AD environment is quite fluid, so we have ended up with a lot of orphaned groups in GCP and a lot of failure errors in the provisioning logs every 40 minutes. I would think this would be a common issue but my searching hasn't turned up anything useful.

Has anyone found an automated solution to this? Is it just a setting that I'm missing in the connector config?

Thanks

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,817 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Akhilesh 9,850 Reputation points Microsoft Vendor
    2024-09-12T18:53:26.0233333+00:00

    Hi @Darryl Coombs

    Thank you for reaching Microsoft Q&A!

    I understand that you are trying to delete the groups in GCP, but you are facing an issue stating Google does not support reversible (or "soft") deletes for this type of object.

    Based on the error message it states Google Workspace does not support automatic deletion of groups through the provisioning connector.

    Try to remove the groups manually in Entra ID which is instructed Remove users, groups, or devices from an administrative unit you can perform single or bulk operation.
    In the same way you can Removes an Active Directory group and see the synced groups has existed in the GCP.

    Also, as the error message is from GCP I would suggest reaching out to Google Cloud Customer support

    Hope this helps. Do let us know if you any further queries by responding in the comments section.

    Thanks.

    Akhilesh.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.