hkusulja
commented
1 year ago I am also interested in updating documentation about software behavior in mentioned scenarios
Closed nikolasovilj closed 2 months ago
hkusulja
commented
1 year ago I am also interested in updating documentation about software behavior in mentioned scenarios
hkusulja
commented
1 year ago I am also interested in updating documentation about software behavior in mentioned scenarios
AjayBathini-MSFT
commented
1 year ago @nikolasovilj Thanks for your feedback! We will investigate and update as appropriate.
ManoharLakkoju-MSFT
commented
1 year ago Hi @nikolasovilj According to the documentation, the Azure AD provisioning service includes a feature to help avoid accidental deletions. This feature ensures that users aren't disabled or deleted in an application unexpectedly. You can use accidental deletions to specify a deletion threshold. Anything above the threshold that you set requires an admin to explicitly allow the processing of the deletions. If the deletion threshold is met, the job goes into quarantine, and a notification email is sent. The quarantined job can then be allowed or rejected.
Regarding the first scenario, if there are accounts present in AD but not in SAP, the provisioning agent will not delete them from AD. The provisioning agent will only delete users if they are deleted in SAP and the deletion threshold is met.
Regarding the second scenario, if someone from HR deletes the user from SAP while the provisioning agent is stopped, the user will not be deleted from AD. The Azure AD provisioning service doesn't automatically delete users from AD if they are deleted from SAP. The user will remain in AD and will have to be manually deleted.
ManoharLakkoju-MSFT
commented
1 year ago @nikolasovilj We are going to close this thread as resolved but if there are any further questions regarding the documentation, please tag me in your reply and we will be happy to continue the conversation
hkusulja
commented
1 year ago @ManoharLakkoju-MSFT i was hopping that documentation will be updated with your statements:
the provisioning agent will not delete them from AD. The provisioning agent will only delete users if they are deleted in SAP and the deletion threshold is met.
The Azure AD provisioning service doesn't automatically delete users from AD if they are deleted from SAP. The user will remain in AD and will have to be manually deleted.
Also, for scenario 2, please clarify, when start provisioning is triggered, will delete action will be done in AD (like Create / Update, also) that were not executed due to stopped provisioning before. So initial/start synchronize behavior is requested to be updated.
ManoharLakkoju-MSFT
commented
1 year ago @nikolasovilj @hkusulja We'll communicate to our PG Team about it, and after they review it, we'll update this as necessary.
ManoharLakkoju-MSFT
commented
1 year ago @cmmdesai Can you please check and add your comments on this doc update request as applicable.
ManoharLakkoju-MSFT
commented
1 year ago @hkusulja @nikolasovilj I'm going to assign this to the document author so they can take a look at it accordingly
omondiatieno
commented
2 months ago @nikolasovilj, closing this issue and tracking the updates internally. Thank you for contributing to our docs.
From the documentation it is not clear weather or not there will be delete action (if enabled) during Initial Sync. Let's suppose 2 different scenarios. Scenario 1: Tenant is about to go to production with provisioning agents and for some reason there are accounts present in AD but not in SAP. Will provisioning agent say okay, you don't exist in SAP, therefore delete from AD?
Scenario 2: For every SAP account there is AD account. For some hypothetical reason provisioning agent must be stopped, in the meantime, while the provisioning agent is stopped, someone from HR deletes the user from SAP (I know mostly it is disabling but sometimes accounts must be deleted) and Delete trigger cannot reach provisioning agent since it is off. Now that user is deleted from SAP. Next time someone starts the provisioning what will happen to that user that no longer exists in SAP? Will it hang forever in AD and will have to be manually deleted?
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.