"Deprovisioning" is not reflected on ServiceNow "sys_user" table from Azure AD.

Question

Regarding auto-user provisioning from Azure AD to ServiceNow, I integrated them and successfully provisioned users as expected.

Also, after the users were created in ServiceNow, the changes of user attributes in Azure AD got reflected on the user records in ServiceNow accordingly.

However, the deletion of the user from Azure AD didn't get reflected on ServiceNow and the user is still there..

Could you let me know how to "deprovision" users?

Best Regards,

Aki

Answer 1

If all is configured correctly, the Azure AD provisioning service keeps source and target systems in sync by de-provisioning accounts when users should not have access anymore.

User attribute mapping by default includes the following mapping for ServiceNow:

• Switch([IsSoftDeleted], , "False", "1", "True", "0") with Active attribute of ServiceNow

If the user is in soft deleted state in Azure AD, the Active attribute should be set to "false" and if user is not in the soft deleted state, the Active attribute will be set to true in ServiceNow. The Azure AD provisioning service should soft delete the user in the application when the user account is deleted in Azure AD. (See related thread on deprovisioning users.)

If the target application does not support soft deletes, the provisioning service will send a delete request to permanently delete the user from the app.

If the changes are not being reflected, you could try restarting provisioning so that all in-scope objects in AAD are evaluated. Note that if a user that was previously managed by the provisioning service is unassigned from an app, or from a group assigned to an app we will send a disable request. At that point, the user is not managed by the service and we will not send a delete request when they are deleted from the directory.

Resources:

How Provisioning Works
ServiceNow Provisioning Troubleshooting
Deprovisioning users