Hi @Subramanyam k The Azure AD provisioning service keeps source and target systems in sync by de-provisioning accounts when users should not have access anymore.
User attribute mapping by default includes below mapping in case of ServiceNow:
- Switch([IsSoftDeleted], , "False", "1", "True", "0") with Active attribute of ServiceNow
This means, if user is in soft deleted state in Azure AD, Active attribute will be set to false and if user is not in soft deleted state, Active attribute will be set to true in ServiceNow. The Azure AD provisioning service will soft delete a user in an application when the application supports soft deletes (update request with active = false) and any of the following events occur:
- The user account is deleted in Azure AD
- The user is unassigned from the application
- The user no longer meets a scoping filter and goes out of scope
- By default, the Azure AD provisioning service soft deletes or disables users that go out of scope. If you want to override this default behavior, you can set a flag to skip out-of-scope deletions.
- The AccountEnabled property is set to False
- If one of the above four events occurs and the target application does not support soft deletes, the provisioning service will send a DELETE request to permanently delete the user from the app.
30 days after a user is deleted in Azure AD, they will be permanently deleted from the tenant. At this point, the provisioning service will send a DELETE request to permanently delete the user in the application. At any time during the 30-day window, you can manually delete a user permanently, which sends a delete request to the application.
If you see an attribute IsSoftDeleted in your attribute mappings, it is used to determine the state of the user and whether to send an update request with active = false to soft delete the user.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.