Deactivate active directory users

Question

When employees are leaving the organization, you would deactivate the access to the users in IAM for the application(s).We are deactivating / deleting those users in Active Directory, but they still are there in IAM.Are there suggestions how to handle this?Is there some option in IAM to automate this as part of the update the user group from Active directory or is it better to go for custom solution via scheduled process flow?

Anne Buit · Accepted Answer

The users are by definition ‘deactivated’ as they can no longer log in using the assigned method. While their account names, user preferences, assigned user groups and such are still present, they are not ‘active’ in the sense that the accounts cannot be used.An automatic cleanup of users is currently not possible when the identity is managed outside of IAM. This is the case for AD users, External authenticated users (OIDC / Entra) and RDBMS users.Some identity providers implement theSCIM protocol to allow this information to be shared between systems. The Thinkwise Platform does not yet support SCIM.If you want to clean up inert users, a periodical and possibly automated option should be used. For instance, a PowerShell script.Alternatively, the process of offboarding should include deleting the information from IAM in addition to deactivating the AD account.

Sign up

Login to the Thinkwise Software Community

Scanning file for viruses.

This file cannot be downloaded