SCIM provisioning: when disabling a user with active roles, the users roles should be removed as well

Question

Use case

I have a couple of applications who want to provision the different type of administrators to the applications using roles. The normal users are not being provisioned with SCIM.

Problem

When a user is removed from every group inside the enterprise application, a trigger event should deactivate/update the user. This update should contain the removal of all roles. Instead, because we do not use attribute-"Active" in our mapping, the user is not updated at all, when the user is deactivated.
Note
The application does receive an update that the user is removed from the group.

Expected Behaviour

When a user is removed from the group, the users loses the role assigned.

Even when the user is deactivated during the process.

Configuration With Active

When you allow active, only the active attribute is being updated.

Configuration flags tried

• AppRoleAssignmentsComplex([appRoleAssignments]): https://learn.microsoft.com/en-us/entra/identity/app-provisioning/customize-application-attributes
• AssertiveAppRoleAssignmentsComplex([appRoleAssignments]): https://learn.microsoft.com/en-us/answers/questions/671361/patch-behaviour-when-provisioning-custom-roles-wit (recommended by AI)
• flag:aadOptscim062020: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/application-provisioning-config-problem-scim-compatibility

Result: no effect.

How to replicate it?

I used SCIM gateway loki plugin. This allows me to run an in memory SCIM server.
https://github.com/jelhub/scimgateway/tree/master

Thank you for having a look.
Danny