You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/app-provisioning/how-provisioning-works.md
+14-1Lines changed: 14 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,7 +8,7 @@ ms.service: active-directory
8
8
ms.subservice: app-provisioning
9
9
ms.topic: conceptual
10
10
ms.workload: identity
11
-
ms.date: 12/06/2021
11
+
ms.date: 01/31/2022
12
12
ms.author: kenwith
13
13
ms.reviewer: arvinh
14
14
---
@@ -196,6 +196,19 @@ If one of the above four events occurs and the target application does not suppo
196
196
197
197
If you see an attribute IsSoftDeleted in your attribute mappings, it is used to determine the state of the user and whether to send an update request with active = false to soft delete the user.
198
198
199
+
**Deprovisioning events**
200
+
201
+
The following table describes how you can configure deprovisioning actions with the Azure AD provisioning service. These rules are written with the non-gallery / custom application in mind, but generally apply to applications in the gallery. However, the behavior for gallery applications can differ as they have been optimized to meet the needs of the application. For example, the Azure AD provisioning service may always sende a request to hard delete users in certain applications rather than soft deleting, if the target application doesn't support soft deleting users.
202
+
203
+
|Scenario|How to configure in Azure AD|
204
+
|--|--|
205
+
|If a user is unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in, do nothing.|Remove isSoftDeleted from the attribute mappings and / or set the [skip out of scope deletions](https://docs.microsoft.com/azure/active-directory/app-provisioning/skip-out-of-scope-deletions) property to true.|
206
+
|If a user is unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in, set a specific attribute to true / false.|Map isSoftDeleted to the attribute that you would like to set to false.|
207
+
|When a user is disabled in Azure AD, unassigned from an app, soft-deleted in Azure AD, or blocked from sign-in, send a DELETE request to the target application.|This is currently supported for a limited set of gallery applications where the functionality is required. It is not configurable by customers.|
208
+
|When a user is deleted in Azure AD, do nothing in the target application.|Ensure that "Delete" is not selected as one of the target object actions in the [attriubte configuration experience](https://docs.microsoft.com/azure/active-directory/app-provisioning/skip-out-of-scope-deletions).|
209
+
|When a user is deleted in Azure AD, set the value of an attribute in the target application.|Not supported.|
210
+
|When a user is deleted in Azure AD, delete the user in the target application|This is supported. Ensure that Delete is selected as one of the target object actions in the [attribute configuration experience](https://docs.microsoft.com/azure/active-directory/app-provisioning/skip-out-of-scope-deletions).|
211
+
199
212
**Known limitations**
200
213
201
214
* If a user that was previously managed by the provisioning service is unassigned from an app, or from a group assigned to an app we will send a disable request. At that point, the user is not managed by the service and we will not send a delete request when they are deleted from the directory.
0 commit comments