Is it possible to delete a user account in Active Directory through IdentityNow?

guilherme_sec · July 8, 2025, 6:07pm

Hello, everyone.

I would like to know if it is possible to delete a user account in Active Directory through IdentityNow.

Does anyone have an example?

udayputta · July 8, 2025, 6:17pm

Yes you can delete a user account in AD. You have to do it by changing the account request operation to Delete using BPR. Other way is using Workflow, where you can use Manage Account Action and raise a Delete Account on AD for the identity.

asmith · July 8, 2025, 7:26pm

It’s worth noting that the Workflow action for Manage Account will only apply the delete action on flat file sources.

vishal_kejriwal1 · July 8, 2025, 7:27pm

yes i would say explore the option of service standard BPR.
it’s more like you can change the operation to delete in BPR base on your criteria .

KRM7 · July 8, 2025, 7:46pm

You can find the solution here

BeforeProvisioning Rule for Oracle EPM to delete the account while removing last entitlement - Identity Security Cloud (ISC) / ISC Discussion and Questions - SailPoint Developer Community

IAMpdu · July 10, 2025, 3:52pm

Hello @guilherme_sec, there are two ways to delete AD account from ISC
. Using before Prov rule (Recommended)
Or Using PS script (After modify Native rule)

suresh4iam · July 11, 2025, 3:57pm

Yes you can do it in multiple ways.

Services Standard IdentityNow BeforeProvisioning Rule: This rule is exclusively for mock projects and required explicit approval from SailPoint and the customer. It allows the delete configuration on source level. It is one time deployment by SailPoint, then you can attached the rule to a source, set the delete operation based on any identity attribute trigger. For example, if inactiveDelete LCS is configured to disable the AD account in Identity Profile, you can change the operation on source level from disable to delete when LCS is set to inactivedelete. Below is a sample source configuration for change operation,

"cloudServicesIDNSetup": {
            "eventConfigurations": [
                {
                    "eventActions": [
                        {
                            "Action": "ChangeOperation",
                            "Attribute": null,
                            "Value": "Delete"
                        }
                    ],
                    "Identity Attribute Triggers": [
                        {
                            "Attribute": "cloudLifecycleState",
                            "Value": "inactiveDelete",
                            "Operation": "eq"
                        }
                    ],
                    "Operation": "Enable"
                }
            ]
        },

Before Provisioning Rule: Develop this cloud rule to make the changes in the operation and attach it to the source, and it should get deployed every time when you make the changes.
External PS Script: You can either use afterModify connector rule to trigger the external PowerShell script where you can build the delete account operation. Or use standalone PS batch execution in any of Windows server to get the list of AD accounts input by using SailPoint Search API.