Due to change in role criteria, AD accounts are created for terminated users, how disable of AD accounts will be achieved?

shaffusailpoint · July 1, 2025, 9:55pm

Due to change in role criteria, AD accounts are created for terminated users. Now criteria is back, entitlements are removed, but AD accounts did not disabled though AD source is added under LCS of terminated user to disable account.

let us know how disable of AD accounts will be achieved?

KRM7 · July 1, 2025, 10:01pm

That’s unfortunate, only if users are moving into that LCS then only Accounts will be disabled. Since those users are already in Terminated LCS, nothing will apply on their accounts.

Option 1: Move those users LCS to some other and get back to Terminated
Option 2: Get all those users and disabled them manually using APIs or UI

shaffusailpoint · July 1, 2025, 10:06pm

any chance doing in bulk we have 300 such accounts please

KRM7 · July 1, 2025, 10:26pm

We can build script to bulk disable all those accounts, we need to supply the account ID to the API, so we need to get all the account IDs we need to disable.

It’s a multiple step process, I have done it earlier, let me check it for you.

shaffusailpoint · July 1, 2025, 10:30pm

sure let me know that can be helpful.

KRM7 · July 3, 2025, 12:46pm

Get All the users impacted, their long IDs
Use Accounts API to get account for each identity by using filters with IdentityIQ and SourceID
Get Account ID
Make use of Disable Account API call and pass the account ID

udayputta · July 3, 2025, 1:31pm

This may also be solved using workflow. Like Krishna mentioned you can do the below steps in workflow

Run a search for identities with lifecyclestate as inactive and AD account active
Run a loop and use Manage Accounts - Disable Account option

Before the 2nd step you may have to figure out how to get the account id. So, you might end up using HTTP Request actions in your workflow.