The disabled accounts on Azure AD in our tenant gets automatically deleted after a certain period. Once that happens, Identity now still keeps on attempting provisioning events (due to identity refresh) on these accounts. As the account is deleted, it tries to recreate the account.
Is there a way to stop this? As of now not populating the create account policy is one way i can think of, but that still causes it to keep on attempting and generate provisioning errors. Is there a concrete way to make an account/identity invisible to provisioning activities or identity refreshes?
Could you please include more details regarding your Azure AD connector?
For example, are you using Azure AD for just reading the account details (No provisioning at all)? are you using the old Azure AD connector or the new Entra connector? provisioning details like Role based or Access profile based provisioning? etc.
This would help us provide solution to your issue.
Thanks!
Hi
If you are using any RBAC approach to create account in Azure, then you need to add extra criteria lifecycle state in your role assignment criteria to dissatisfy the role.
Could you please describe how the access is getting assigned to the account. is it via a Role addition using criteria? or is it via an already requested access via Request center?
if it’s via criteria, then you can add an extra role criteria to check if account exists,
for eg., like userprincipal name contains @ . In this case the role will be removed if the account doesn’t exist.
I am using the old Azure AD connector. There are some provisioning being done too. Some entitlements are role based. But the others which are not role based are causing issues like entitlement stickiness even when the actual account has been deleted on the source.
The role based accesses are not a concern. It is the free entitlements which are provisioned by the ID center and then there are those which are just there in azure.
Ok. Then removing those sticky entitlements is the only other option i think. or else it will try to add those entitlements which in turn will create the Create account event. Even if you tweak the create account provisioning policy, everyday create account event will be retried and will be failed.
if you need any help with sticky entitlements removal you can refer this discussion. it can be achieved via workflow.
