Okta Connector - group cleanup of deactivated accounts

What problem are you observing?

If a user has a deactivated okta account and you call /v3/access-requests to Revoke the Okta group (entitlement), then ISC does the following

  1. Re-activate Okta account
  2. Revoke Okta group (entitlement)
  3. Re-deactivate Okta account

This causes a whole range of issues, as re-activating the account can cause application and group assignments to kick in, and provisioning tasks from okta to endpoint systems

What is the correct behavior?

Remove Okta groups/entitlements without re-activating the account.

What product feature is this related to?

ISC Okta connector

What are the steps to reproduce the issue?

  1. Create an identity with an Okta account
  2. Ensure Okta account has groups assigned
  3. Deactivate Okta account
  4. Aggregate Okta account, so information in ISC is current
  5. Call /v3/access-requests to Revoke Okta entitlements
  6. Observe logs in Okta for this account.

Do you have any other information about your environment that may help?

N/A