Remove AD security group

torry_salamat · December 11, 2025, 2:43pm

Hello everyone,

I’m facing a problem regarding mover scenarios and AD group cleanup in IdentityIQ.

Suppose we have an identity X who already had some AD Security Groups before IdentityIQ started managing them.

For example, the identity already had SecurityGroup1 in AD (assigned by the AD ADMIN)

After that:

We created a Business Role (Role1) in IIQ with an assignment rule that grants SecurityGroup1.

We also have another Business Role (Role2) that grants SecurityGroup2.

Now the identity changes department, so:

Role1 should be removed

Role2 should be assigned

Our current situation is that the identity now has SecurityGroup1 and SecurityGroup2 in the AD..

Our goal is to remove SecurityGroup1 from the identity in AD because it no longer applies.

IdentityIQ does not remove SecurityGroup1, because this entitlement was not originally assigned by IIQ…

So What is the recommended way in IdentityIQ to clean up or remove AD groups that were not assigned by IIQ but now need to be removed because the identity changed roles?

Many thanks,

pravin_ranjan · December 11, 2025, 4:39pm

@torry_salamat SecurityGroup1 should be part of your certification process during mover. question, are you not enabled certification during mover process? in certification it was either configured as approved/removed if no action taken withing certification time frame. let me know if make sense.

SanjeevIAM · December 11, 2025, 7:15pm

How are you assigning the Roles. Is your Identity Refresh task is configured with provision assignment option checked. If Yes then identity should have Role1 assigned even if the AD group was already present and on Mover when the role is removed it should trigger group removal. If it is not checked (enabled) and you are using any workflow to assign roles then you may have to run a task to add role assignments for existing users with access to fix the issue.

torry_salamat · December 15, 2025, 9:17am

Hello @pravin_ranjan , thank you for your answer,

At the moment, we do not have any certifications configured. Even if we were to set one up for this use case, SecurityGroup1 was only an example. In reality, we have more than 100 security groups. Would it be feasible to certify all of these groups each time an identity changes departments, or would this be too heavy for the client to manage? We don’t have a mover workflow either..

torry_salamat · December 15, 2025, 9:22am

Hello @SanjeevIAM , thank you for your reply,

We assigned it automaitcally via assignement rules and our refresh task is indeed configured with the provision assignement option..

To clarify the situation: for an identity that already had SecurityGroup1 assigned directly in Active Directory by an administrator, Role1 was never assigned to the identity in IIQ.

When the identity later changed departments, Role2 was automatically assigned via assignment rules. As a result, the identity now ends up with both security groups (SecurityGroup1 and SecurityGroup2) in AD, but only one role (Role2) in IIQ.

Topic		Replies	Views
It Role to add a AD group and remove another IIQ Discussion and Questions rules , identityiq , roles	5	202	September 27, 2024
Best practice for group removal IIQ Discussion and Questions identityiq , roles , governance-groups , active-directory	8	83	March 26, 2026
IT role entitlement is showing incorrect AD group information IIQ Discussion and Questions aggregation , identityiq , roles , entitlements	20	562	May 17, 2024
Remove All Roles assigned by access request when the termination event triggers ISC Discussion and Questions workflows , identity-security-cloud , provisioning	16	1698	October 31, 2023
Deletion of role from identityIQ IIQ Discussion and Questions identityiq	5	325	January 6, 2025

Remove AD security group

Related topics