Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Entra ID Won't Send Delete Requests
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 17%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELS%3C/text%3E%3C/svg%3E)
Luke Schwemler
0
Reputation points
I'm working on Entra ID provisioning support for an app. I've set it up as an enterprise application, and I'm receiving (and responding to) provisioning requests. When I add accounts to my app on Entra ID, it successfully provisions them on my app and Entra displays that it is synchronized. However, for both hard deletes and soft deletes, I am not receiving any PATCH, PUT, or DELETE requests for the deleted users. This occurs (or rather, fails to occur) for both deleting the entire user, and for just deleting the connection between the Entra ID user and my app. I've investigated a few potential causes without any results;
- My accidental delete threshold is set to 500. I am deleting only single users at a time. I've had nowhere even close to 500 users total.
- I am monitoring all requests my app is receiving, I am 100% confident that there is simply not any requests coming in to disable or delete provisioned users
- In Attribute Mapping -> Target Object Actions, I have the Create, Update, and Delete options all enabled. Attribute mapping is also enabled.
- The user 'active' attribute is set to
Switch([IsSoftDeleted], , "False", "True", "True", "False")(the default value) - The provisioning scope is set to "All users and groups"
- "Skip Out Of Scope Deletions" is set to false
I've checked the provisioning logs - when a user is soft-deleted, after next sync there is a skipped update for that user with the following info:
Result: Skipped
Description: The User '<redacted>' will be skipped due to the following reasons: 1) This object is not active in the source system.
SkipReason: NotEffectivelyEntitled
IsActive: False
Assigned to the application: True
IsInProvisioningScope: True
ScopeEvaluationResult: {}
ReportableIdentifier: <redacted>
Note that the <redacted>s are mine, Entra is showing the user email address here. It makes sense that soft-deleting a user marks their account as inactive, but I can't fathom why this wouldn't update the provisioned account to also disable it. Nothing shows up in the logs for hard deleted users.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 7.000000000000001%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC3%3C/text%3E%3C/svg%3E)
Carolyne-3676 956 Reputation points2026-02-02T12:40:55.87+00:00 I believe this is expected behavior: when a user is soft-deleted or becomes inactive, Microsoft Entra provisioning does not send PATCH/DELETE calls and instead marks the user as NotEffectivelyEntitled, skipping deprovisioning actions for custom apps. A DELETE request is only sent after the user is permanently deleted (hard delete) from Entra ID, which happens 30 days after soft deletion or when explicitly purged from the recycle bin.
https://learn.microsoft.com/en-us/entra/identity/app-provisioning/understand-provisioning#deprovisioning
Sign in to comment
Sign in to answer