• State Not Answered
  • Replies 2 replies
  • Subscribers 97 subscribers
  • Views 470 views
  • Users 0 members are here
Options
Related

Provisioning with accounts disabled

Elena
7 months ago

Hello everyone,

In this environment, I have a target system for both Active Directory and Azure AD connectors.

For AD, everything is managed with account definitions, and we create/delete/modify accounts.

However, for Azure AD, it’s different because we don’t have account definitions, and it’s managed via AD Connect, which synchronizes from AD, so we read directly from Azure.

The issue is that, after we read that the AAD account has been disabled, not all AAD groups are being removed (excluding those with group types of DynamicMembership, we don't need to remove that ones).

I’ve created a process to remove the assigned groups using process step handleComponents with the where clauses and in One Identity they are removed from the database, but the provisioning does not start because the account is disabled.

So, if the account is enabled, the provisioning starts successfully.

How can I resolve this issue?

Thank you,

Elena

Parents
  • 0 6 months ago

    I think that OOTB when you remove a direct (XOrigin = 1) entry/assignment in AADUserInGroup or O3EAADUserInUnifiedGroup (Office 365 group) on this linked AADUser by hand using Manager. It should trigger the proces AAD_Group_Insert/Update/Delete or O3E_UnifiedGroup_Update/Deactivate and remove the membership independent of the AADUser "enabled/disabled" state. If this works double check your custom proces. If not check if the AAD_Group_Insert/Update/Delete is customized or: Data synchronization > Configure tables for publishing: AADUserInGroup and check the condition query maybe customized?

    For your use case maybe have a look at this config option: KeepMembershipsOfLinkedAccount
    Scenario: User accounts are linked to identities. No account definition is applied.
    Use the QER | Person | User | KeepMembershipsOfLinkedAccount configuration parameter to specify deferred deletion behavior.
    support.oneidentity.com/.../7

Reply
  • 0 6 months ago

    I think that OOTB when you remove a direct (XOrigin = 1) entry/assignment in AADUserInGroup or O3EAADUserInUnifiedGroup (Office 365 group) on this linked AADUser by hand using Manager. It should trigger the proces AAD_Group_Insert/Update/Delete or O3E_UnifiedGroup_Update/Deactivate and remove the membership independent of the AADUser "enabled/disabled" state. If this works double check your custom proces. If not check if the AAD_Group_Insert/Update/Delete is customized or: Data synchronization > Configure tables for publishing: AADUserInGroup and check the condition query maybe customized?

    For your use case maybe have a look at this config option: KeepMembershipsOfLinkedAccount
    Scenario: User accounts are linked to identities. No account definition is applied.
    Use the QER | Person | User | KeepMembershipsOfLinkedAccount configuration parameter to specify deferred deletion behavior.
    support.oneidentity.com/.../7

Children
No Data