Presently, Azure AD Provisioning does not flow null/empty values into target directories. This means that an attribute that has a value will not have that value removed, even if the value is removed in Azure AD. This will be possible in the future, but I don't have an ETA that I can share unfortunately.
User provisioning skipped when removing user's attributes
Whenever we remove a single user's attribute provisioning user is skipped - i.e. setting the manager or phone number to null, after synchronisation action gets completed we get the message in the logs that the state of the user in both the source and target systems already match, all though this is clearly not the case. Looking at the documentation https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-no-users-provisioned#provisioning-logs-say-users-are-skipped-and-not-provisioned-even-though-they-are-assigned does not give any clues about what might be the cause of this behaviour; we do not set scope filters, and all the attributes do get updated for both add and replace actions.
Target object actions are required for all actions: create, update and delete. Both delete and disable user works for us.
Is there anything in the setup that might be causing this kind of behaviour?
Sign in to comment
Thanks @Danny Zollner for your reply. Do you have news about the ETA? Honestly it's really limiting that the user doesn't get synced when his manager is removed. Is there a workaround? I also tried to define a custom attribute "hasManager" that using the expression "Not(IsNullOrEmpty([manager]))", but also in this case the field returns always True because for Azure AD the manager is still there.
Sign in to comment
1 additional answer
Sort by: Most helpful
Hello, please Create a support request a properly address this issue or let us know if you need assistance doing so.