Azure SCIM: remove user from sync group does not delete the user

Question

I sync Azure AD into my server via SCIM. I created an application and I assigned a group with users to that app. I started provisioning.
When I add a user to the sync group, I see a SCIM call to create a new user and to add it to the group.
When I delete a user from the sync group, I see this user being deactivated on my server, but not deleted. Why?
Indeed I haven't deleted this user from the AD, but from the provisioning process point of view, this user should no longer exist on the remote server. When I remove a user from a synced group, I expect an operation opposite to adding a user to a synced group, which should be a Delete.

Can I expect this user to be permanently deleted from my server after 30 days (like soft delete)?

Answer 1

The relevant documentation for this is here: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/how-provisioning-works#de-provisioning

Upon review, these docs appear to be a bit unclear - we'll work on making them clearer. The behavior that you're seeing is expected. For the custom non-gallery SCIM application, as well as most of our SCIM gallery integrations, we'll only disable users in the connected SCIM application except for when the user has been observed as being hard deleted from AAD. This is not customizable. We are looking at expanding the amount of control that customers have over what happens in these scenarios so that certain conditions can be set to lead to either a disable or a delete. We do not have an ETA that can be shared at this time regarding when those changes may come, however.