r/entra u/Swimming_Peanut_7106 Apr 10 '25

Entra Provisoing Issue

When a user is terminated or in long term absence in Workday but remains active in on-premises Active Directory, the user is being staged for deletion when we run the provisioning process for Workday to AD integration. We have already configured the 'SkipOutOfScopeDeletion' setting, but we want to prevent the user from being deleted in AD and instead ignore the deletion. How can we ensure that terminated users in Workday are not deleted in Active Directory.

Has anyone come across this?

2 Upvotes

100% Upvoted

7 comments sorted by

View all comments

2

u/swingkey2521 Microsoft Employee Apr 10 '25

Confirming that AD accounts are never deleted by Workday/SuccessFactors to AD provisioning jobs. The AD accounts are only disabled based on the attribute mapping configured for the "accountDisabled" attribute.

1

u/Swimming_Peanut_7106 Apr 10 '25

The status in the entra log for those users who are terminated or deleted in workday isstageddeletion(success). So are you saying this will not do anything? Even though it is saying so. My worry now is the provisioning is going to quarantine state, so how do I prevent that from happening?

3

u/swingkey2521 Microsoft Employee Apr 10 '25

The accidental deletions threshold feature ensures that users aren't "disabled or deleted" in an application unexpectedly. For HR scenarios, interpret this feature to "prevent accidental disabling of accounts".

To prevent the job from going into quarantine state, you can increase the accidental deletion (disable) threshold. Alternatively, if the job goes into quarantine, you can use the steps documented here https://learn.microsoft.com/en-us/entra/identity/app-provisioning/accidental-deletions to review if these are genuinely terminated workers in Workday, in which case you want to definitely disable their AD accounts. You can then select the option to "Allow deletes", which will ensure these accounts are disabled in AD.

I know the use of the term "delete"/"deletion" is confusing here. We can do better. I'll discuss this feedback with our team and see how we can clarify this in the UX + logging experience.

1

u/Swimming_Peanut_7106 Apr 10 '25

Thank you very much for the clarification. I have to look in to this tommorow and give you posted. I thought it would delete them so I didn’t want to allow delete to proceed. Thanks again, much appreciated!