Do the attributes contribute by Azure AD Connect Provisioning Agent retain their values when disconnected?

Michael Liben 161 Reputation points
2022-08-22T19:35:12.407+00:00

When a user object goes out of scope from the Azure AD Provisioning Service and subsequently the Azure AD Connect Provisioning Agent, are the values contributed from the HR source retained in the Azure AD object or are they deleted. This question assumes we configured our agent to 'Skip deletion of user accounts that go out of scope in Azure Active Directory.'

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,419 questions
Accepted answer
  1. JimmySalian-2011 41,916 Reputation points
    2022-08-23T08:12:18.623+00:00

    Hi,

    Thank you for asking this question on the Microsoft Q&A Platform.

    It depends on the type of attribute you have setup in the AD Connect provisioning, AFAIK the attributes that are synced to the user object in Azure AD will be retained, unless you manually remove the mapping from the user object from on-prem AD.

    Yes you are correct skip deletion of user accounts will soft delete the object in Azure AD and will remove the object incl the attributes.

    Please check the attributes that you have configured and it will give you detailed information.
    how-to-attribute-mapping

    how-to-map-usertype

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 16,026 Reputation points Microsoft Employee
    2022-09-16T07:11:39.333+00:00

    Hello @Michael Liben ,

    I was able to check on this. As per: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/skip-out-of-scope-deletions SkipOutOfScopeDeletions is set to 1 (true), accounts that go out of scope will not be disabled in the target.

    So, in this case would user attributes values be preserved in Azure AD and same will be use when user comes back to scope or being rehired in the system.

    If SkipOutOfScopeDeletions is set to 0, accounts that go out of scope will be disabled in the target immediately and will be removed after 30 days.

    A user is soft deleted in Azure AD (sent to the recycle bin / AccountEnabled property set to false). 30 days after a user is deleted in Azure AD, they will be permanently deleted from the tenant. At this point, the provisioning service will send a DELETE request to permanently delete the user in the application.

    Please "Accept the answer" and rate your experience if the information helped you. This will help us and others in the community as well.

    0 comments