Microsoft Security | Microsoft Entra | Microsoft Entra ID
A cloud-based identity and access management service for securing user authentication and resource access
Delete User Provisioning issue
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 76%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPY%3C/text%3E%3C/svg%3E)
Prakash YosiHealth
0
Reputation points
I am using SCIM auto provisioning in my Azure AD integration. While the API endpoint is triggered successfully when a new user is added (using the POST method), it does not trigger when a user is deleted, deactivated, or removed from Azure AD. I need assistance in configuring the delete user functionality so that the corresponding SCIM endpoint is triggered when users are deleted or deactivated in Azure AD. Please help me resolve this issue.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 74%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Jyotishree Moharana 1,865 Reputation points Microsoft External Staff Moderator2025-04-18T16:40:50.2766667+00:00 Hello @Prakash YosiHealth,
Delete should show up as part of the synchronization rules in the Provisioning. Could you please check once under Provisioning logs.
The SCIM api should also support and have the below endpoints defined.
PATCH/Users/{id} with "active": false
DELETE/Users/{id} to Delete user
-
Jyotishree Moharana 1,865 Reputation points Microsoft External Staff Moderator
2025-04-21T09:00:29.4533333+00:00 Hello @Prakash YosiHealth,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet.
In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
-
Prakash YosiHealth 0 Reputation points
2025-04-21T09:51:47.76+00:00 Hello @Jyotishree Moharana ,
Thank you for your email.
We have checked the provisioning logs, but unfortunately, we did not receive any logs for the DELETE or PATCH methods when attempting to delete or remove a user. The logs only show the POST method.
Could you please assist in resolving this issue? We are unable to receive any PATCH/DELETE logs at this time, and your guidance would be much appreciated to help us move forward with this process.
Looking forward to your support.
-
Jyotishree Moharana 1,865 Reputation points Microsoft External Staff Moderator
2025-04-21T18:57:22.87+00:00 Hello @Prakash YosiHealth,
Thank you for the information. We can go through the below troubleshooting steps to check where is the flow is stuck.
- Provisioning (including user updates or deletions) happens for users who are assigned to the SCIM application. If a user is not assigned through direct assignment or group assignment, Azure will ignore them for provisioning updates.
The first thing to verify would be to ensure the user is assigned to the application before removal or deletion.
If a user is unassigned before provisioning kicks in, Entra ID will not know to deactivate them as the SCIM provisioning system tracks assignments.
- Check the provisioning scope settings if it is configured to provision only assigned users and groups. Check if Provisioning status is ON and check the scope it should be set to “Sync only assigned users and groups”.
- Check if the "active" attribute is correctly mapped or not.
- Go to: Provisioning -> Mappings -> Provision Azure Active Directory Users
- Scroll through the mappings and check:
"active" is mapped from a constant (True) or some conditional expression
The matching precedence is lower than the identifier mapping (like userPrincipalName)
Direction is Azure AD -> Application
If the active field isn’t mapped, Azure won’t send PATCH requests to change it to false.
- Now test the flow by assigning, you can wait for the provisioning to run or trigger it manually under provisioning on demand and then unassign the user.
Check the audit logs again to check if PATCH request with "active":false is triggered.
-
Prakash YosiHealth 0 Reputation points
2025-04-22T08:13:10.0933333+00:00 Hello @Jyotishree Moharana ,
Thank you for the troubleshooting steps.
I would like to confirm the following:
- The user is already assigned to the SCIM application.
The scope is set to "Sync only assigned users and groups".
- The provisioning status is ON.
Regarding the "active" attribute mapping, I have tried the following:
- Default mapping value:
Switch([IsSoftDeleted], , "False", "True", "True", "False") - Updated mapping value:
Not([IsSoftDeleted])
Constant mapping with value
TrueDespite these changes, I am still not receiving the PATCH method for user deletion. When I deactivate the user or remove them from the application, I receive the GET method with the
userNamevalue, and I handle the user removal functionality based on that. However, when deleting the user, there is no action in the audit logs, and the PATCH request is not triggered.Could you please assist in setting the correct value for the "active" attribute or let me know if any other attribute needs to be modified to resolve this issue?
Looking forward to your assistance. Thank you for the troubleshooting steps.
I would like to confirm the following:
The user is already assigned to the SCIM application.
The scope is set to "Sync only assigned users and groups".
- The provisioning status is ON.
Regarding the "active" attribute mapping, I have tried the following:
- Default mapping value:
Switch([IsSoftDeleted], , "False", "True", "True", "False") - Updated mapping value:
Not([IsSoftDeleted])
Constant mapping with value
TrueDespite these changes, I am still not receiving the PATCH method for user deletion. When I deactivate the user or remove them from the application, I receive the GET method with the
userNamevalue, and I handle the user removal functionality based on that. However, when deleting the user, there is no action in the audit logs, and the PATCH request is not triggered.Could you please assist in setting the correct value for the "active" attribute or let me know if any other attribute needs to be modified to resolve this issue?
Looking forward to your assistance.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Anonymous2025-04-22T11:32:13.5333333+00:00 @Prakash YosiHealth, Azure AD will only send a
PATCHrequest with"active": falsewhen:- A user is assigned to the app, and then
- The user is soft-deleted in Azure AD (not hard-deleted) OR
- The user is removed from the app assignment
As far as I know, Hard deleting a user from Azure AD will not trigger a SCIM PATCH or DELETE call.
To manage user deactivation, configure the mapping as follows:
Target Attribute:
activeExpression:
Not([IsSoftDeleted])- Apply this mapping
This setup ensures that Azure sends a
PATCHrequest with"active": falsewhen a user is soft-deleted in Azure AD.Otherwise, please try the below once to confirm:
- Assign a user to the SCIM app (you should get a
POST) - Go to Azure AD > Users > Choose the user
- Click Delete → This performs a soft-delete (user stays in recycle bin for 30 days)
- Wait 20–40 minutes for provisioning to sync
- Azure should now send a
PATCHto/Users/{id}withactive: false
Let me know if it works - Feel free to reach out if any further queries!
-
Anonymous
2025-04-23T04:36:35.8533333+00:00 @Prakash YosiHealth, Check Provisioning Logs (
Enterprise Applications > Your App > Provisioning > Logs)- Shows SCIM actions like
Create,Update,Delete, andDisable. - Only logs users in scope for provisioning.
And Audit Logs (
Monitoring > Audit Logs)- Shows high-level Azure AD activity (e.g., user deleted, disabled).
- Helps confirm if the user was modified at the directory level.
- Ensure your SCIM API logs incoming
PATCH/DELETErequests. - Use audit logs to confirm the user's deletion/deactivation actually occurred in Entra ID
Refer https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-analyze-provisioning-logs and https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-provisioning-logs
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, please respond with more details and we will try to help.
- Shows SCIM actions like
-
Prakash YosiHealth 0 Reputation points
2025-04-24T06:33:32.47+00:00 @Rukmini Thank you for the confirmation regarding hard deletes and your guidance on managing user deactivation.
Unfortunately, I am still not receiving the PATCH/DELETE method when deactivating the user or removing them from the application. Instead, I am receiving the GET method with the
userPrincipalName. Based on this, I have handled the delete operation and updated my database accordingly.In the Provisioning logs, when I perform a soft delete on the user, I see the action labeled as "Other" in the Action column, and the Success column shows "Skipped".
In the Audit logs, I can see logs occurring when the user is soft-deleted.
Could you please assist further in achieving the PATCH/DELETE method for user deactivation? Currently, I am relying on the GET method with the
userPrincipalNamefor handling the delete operation.Looking forward to your assistance.
Sign in to comment
Sign in to answer