Automatic de-provisioning using SCIM with Azure AD

Can someone please confirm is user user deprovisioning is functional under the model of automatic provisioning with Azure AD? I thought that was the whole point of the feature but have support telling me users will be provisioned but not deprovisioned and reflected in User Management which for us is the point of the exercise because we are simply trying to get an accurate current user count. SCIM is configured and synchronising in a healthy state. It appears other Zscaler certified engineers have been able to get this working in the past:

Hi,

I can confirm that deprovisioning works for my customers who do SCIM. Every month they get user-statistics and I see always users that have been using Zscaler in the last month, but are not longer in the user database. We do not delete users manual.

Best regards
Andreas

Thank you for responding Andreas, good to know it can work as expected. When I create and delete a new test account, it appears to provision and deprovision as expected. But we have many ex user accounts that have been deleted from Azure AD prior to implementing SCIM and it’s these accounts that are not being deprovisioned. Any ideas on why this might be the case?

Hi,

I guess that SCIM basically “forwards” the information “User XYZ has been deleted from AzureAD”, at the time the user is deleted in AzureAD and there is no “div” done to delete the old users, that have been provisioned to Zscaler prior to the implementation.
I checked in my old mails… when or just before we activated SCIM, I confirmed to my customer that I did a manual cleanup of the Zscaler User DB. :slight_smile:
Downloaded a list of all active users in last 3 month, compared this with an export of UserDB, created a (or more, since there is a limit) csv with all users that were not active and used csv “import” to delete these users.
Best regards
Andreas

Thanks Andreas, I performed a manual user clean up.

1 Like