Deprovision the users

Subramanyam k 251 Reputation points
2020-08-24T06:25:55.5+00:00

Hi,

This is regarding the deprovision of users.

Using Azure AD provision we are able to provision the users from Azure AD to Service Now.

If we want to deprovision the users,how to do this.

In the document "https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/servicenow-provisioning-tutorial " it is given "Remove users in ServiceNow when they do not require access anymore" . But not found information on this.

Can you suggest any documents related to deprovision of users.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,561 questions
0 comments
Accepted answer
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-08-24T12:40:17.497+00:00

    Hi @Subramanyam k The Azure AD provisioning service keeps source and target systems in sync by de-provisioning accounts when users should not have access anymore.

    User attribute mapping by default includes below mapping in case of ServiceNow:

    • Switch([IsSoftDeleted], , "False", "1", "True", "0") with Active attribute of ServiceNow

    This means, if user is in soft deleted state in Azure AD, Active attribute will be set to false and if user is not in soft deleted state, Active attribute will be set to true in ServiceNow. The Azure AD provisioning service will soft delete a user in an application when the application supports soft deletes (update request with active = false) and any of the following events occur:

    • The user account is deleted in Azure AD
    • The user is unassigned from the application
    • The user no longer meets a scoping filter and goes out of scope
    • By default, the Azure AD provisioning service soft deletes or disables users that go out of scope. If you want to override this default behavior, you can set a flag to skip out-of-scope deletions.
    • The AccountEnabled property is set to False
    • If one of the above four events occurs and the target application does not support soft deletes, the provisioning service will send a DELETE request to permanently delete the user from the app.

    30 days after a user is deleted in Azure AD, they will be permanently deleted from the tenant. At this point, the provisioning service will send a DELETE request to permanently delete the user in the application. At any time during the 30-day window, you can manually delete a user permanently, which sends a delete request to the application.

    If you see an attribute IsSoftDeleted in your attribute mappings, it is used to determine the state of the user and whether to send an update request with active = false to soft delete the user.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest