Share via

API-Driven Provisioning: Expected Behavior When active Attribute Is Omitted

Amit Mishra 0 Reputation points
2026-06-09T17:33:22.5+00:00

We are using Microsoft Entra API-driven provisioning to provision users into on-premises Active Directory with the recommended mapping:

accountDisabled = Not([active])

We have three scenarios:

  1. Onboarding – create/update users and send active=true.

Offboarding – disable users and send active=false.

AD Sync – update user attributes (name, title, department, manager, etc.) without modifying the current AD account enabled/disabled status.

Our question relates to the AD Sync scenario.

Can the active attribute be omitted from the SCIM payload when we do not intend to update the account status?

During our testing, when active was not included in the payload, the provisioning logs still showed:

Active = False

This raises a concern that the expression:

accountDisabled = Not([active])

may evaluate to:

accountDisabled = True

and disable the AD account even though no account status change was intended.

Could you please confirm:

What is the expected behavior when the SCIM payload does not contain the active attribute?

Does Entra treat a missing active value as False, Null, or preserve the existing target state?

Is omitting active a supported approach for attribute-only synchronization scenarios where account status should remain unchanged?

If omitting active is not supported, what is the recommended pattern for updating AD attributes without affecting the account enabled/disabled state while still using the standard mapping accountDisabled = Not([active])?

We would appreciate guidance on the recommended design pattern for supporting onboarding, offboarding, and attribute synchronization within the same API-driven provisioning configuration.We are using Microsoft Entra API-driven provisioning to provision users into on-premises Active Directory with the recommended mapping:

accountDisabled = Not([active])

We have three scenarios:

Onboarding – create/update users and send active=true.

Offboarding – disable users and send active=false.

AD Sync – update user attributes (name, title, department, manager, etc.) without modifying the current AD account enabled/disabled status.

Our question relates to the AD Sync scenario.

Can the active attribute be omitted from the SCIM payload when we do not intend to update the account status?

During our testing, when active was not included in the payload, the provisioning logs still showed:

Active = False

This raises a concern that the expression:

accountDisabled = Not([active])

may evaluate to:

accountDisabled = True

and disable the AD account even though no account status change was intended.

Could you please confirm:

What is the expected behavior when the SCIM payload does not contain the active attribute?

Does Entra treat a missing active value as False, Null, or preserve the existing target state?

Is omitting active a supported approach for attribute-only synchronization scenarios where account status should remain unchanged?

If omitting active is not supported, what is the recommended pattern for updating AD attributes without affecting the account enabled/disabled state while still using the standard mapping accountDisabled = Not([active])?

We would appreciate guidance on the recommended design pattern for supporting onboarding, offboarding, and attribute synchronization within the same API-driven provisioning configuration.

Microsoft Security | Microsoft Entra | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-06-09T17:33:46.16+00:00

    The available information only states the default behavior and mapping model; it does not define how a missing active attribute is treated in API-driven inbound provisioning, nor does it describe a supported pattern for omitting active while keeping accountDisabled = Not([active]) unchanged.

    The documented behavior is:

    • For API‑driven inbound provisioning, the SCIM Core User schema attribute active is the default driver for account status.
    • By default:
      • If active is true, the default mapping enables the account.
      • If active is false, the default mapping disables the account.
    • If provisioning to on‑premises AD, a source attribute should be mapped to accountDisabled for account status control.

    However, the documentation does not specify:

    • How Entra interprets a missing active attribute in the SCIM payload (for example, as false, null, or “preserve existing state”).
    • Whether omitting active is a supported pattern for attribute‑only sync scenarios.
    • A prescribed pattern for combining onboarding, offboarding, and attribute‑only sync in a single configuration while using accountDisabled = Not([active]).

    Because these details are not present in the provided documentation, no further behavior or design pattern can be stated.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.