I’ve a requirement wherein when a user moves to “leave10days” lifecycle state, then corresponding AzureAD account needs to be deleted for the same user.
I was thinking to use before provisioning rule with the logic that any “disable” account request will be converted to “delete” account request.
I want to know if AzureAD source has the implementation written for “delete” account request or is there any other better way to implement this?
Hello,
You can refer to the documentation: Account Management for User, User in Federated Domain, and Guest User (B2B)
As i can see, there is no posibility to delete users, you are only able to disable those identities
Regards,
Pablo
Hi @pablonovoa,
Thank you for sharing the link, for some reason I couldn’t find that.
Yeah unfortunately ISC does not support delete the account operation in your case
Hi @RitikaK
AFAIK, there is no support for delete operation for Azure AD connector.
An alternative solution would be to use workflows to call the microsoft graph api for the deletion upon disable account request.
HTH
Hi Shailee,
could you please share some reference.
Thanks in advance
Scheduled Powershell script on the IQ server that checks for any accounts in that lifecycle state, gets the account’s EntraID GUID from an Identity attribute, then sends a delete request to Entra ID.
No need for workflows
Hi @RitikaK ,
Hope this gives you a start to design the workflow:
Step1: Trigger - Identity Attributes Changed . You can use filter (Advanced) as $.changes[?(@.attribute == "cloudLifecycleState")]
Step 2: Compare String operator to check if the new cloudLifecycleState value is “leave10days”
$.trigger.changes[?(@.attribute == "cloudLifecycleState")].newValue with leave10days
Step 3: For Compare String True flow, Get Identity by Identity based on $.trigger.identity.id
Step 4: Define Variable to fetch and store the EntraUD GUID variable from the Azure account of the user. The value of the variable userId can be defined as :
$.getIdentity.attributes.<Entra GUID>
Step 5: HTTP Request action to DELETE https://graph.microsoft.com/v1.0/users/{{$.defineVariable.userId}} using the user-id value fetched in Step 4.Delete a user - Microsoft Graph API - Microsoft Graph v1.0 | Microsoft Learn
Alternately, as mentioned by @phil_awlings , you can schedule a powershell script from IQ server to make the API call; you will have to ensure that proper network connectivity to Entra tenant is established from IQ server.
Thanks,
Shailee
thankyou Shailee, it worked
