In the event of a user leaving or being terminated, the Active Directory (AD) account must be disabled, group memberships should be revoked, and the account must be moved to the disabled OU. This functionality is currently operational.
Enhancement: If the account is already disabled during termination, it should still undergo other deprovisioning actions such as moving it to the disabled OU and removing group memberships. We are modifying the operation from Disable to Modify when the account status is disabled.
Hi @aishwaryagoswami, it is not throwing any error but logic is not working and such that if the account is already disabled during termination, it should still undergo other deprovisioning actions such as moving it to the disabled OU and removing group memberships.
If the user account is already in a disabled status, there will be no provisioning activity triggered, so you cannot modify the plan as there is no plan generated in the first place.
You will need to sync some attribute to AD (eg. employee status) as part of the user termination and then modify the plan to accommodate your changes.
Alternatively, you can make use of an aftermodify powerShell script instead of a before provisioning rule to achieve this.
Please also take a look at the below thread on making use of the Services Standard Before Provisioning Rule to achieve most of the AD use cases by making changes in the source configuration.