Skip to main content

My customer has configured the SSO with Azure ad as identity provider. 
So off course, if the user is disabled in the AD, the user can not login the tool. 

However, the Application Manager of the Thinkwise solution would like to see which users are active or inactive. The filter of active / inactive does filter out users, but we dont know based on what. 

therefore I'd like to ask for help with the following questions:

1 - if a user is disabled in the IDP, is that somewhere registered in the IAM? 

-- If not, is there some best practise of how to make that happen?

2 - What does the filter "in active user” in the user table in the IAM filter for exactly? I thought it was based on the date field, but aparently there are more variables. 

 

Thanks for your help.

Hello Tiago,

1 - if a user is disabled in the IDP, is that somewhere registered in the IAM? 

No that is not something that is automatically registered in IAM. We also do not know if there is a best practice solution for this.

2 - What does the filter "in active user” in the user table in the IAM filter for exactly?

There are 3 things that make a user active:

  • Begin on date is empty or is in the past
  • End on date is empty or is in the future
  • This user has logged in at least once and thus has a (ongoing) session.

1 - if a user is disabled in the IDP, is that somewhere registered in the IAM? 

-- If not, is there some best practise of how to make that happen?

@tiago on the best practice question: you can have a System Flow perform regular (f.e. weekly or nightly) checks on the Azure AD User records using the MS Graph API and set an End Date in IAM in case a User is disabled (and/or no longer existent) in Azure AD.

Hey ​@Arie V , thanks for your help. That was indeed what I was imagining. Will see how important it actually is for the customer. 😅

 

FYI he said he'd rather have a checkbox than an end date for understanding of a user is active or not. 

Personally I don't really see the problem, but as he was quite insistent, while he usually isn't, it felt really important for him, so I thought it was at least important to share. 

Have you ever heard about this request? 

 

1 - if a user is disabled in the IDP, is that somewhere registered in the IAM? 

-- If not, is there some best practise of how to make that happen?

@tiago on the best practice question: you can have a System Flow perform regular (f.e. weekly or nightly) checks on the Azure AD User records using the MS Graph API and set an End Date in IAM in case a User is disabled (and/or no longer existent) in Azure AD.

Sounds like a nice Thinkstore solution ;)

1 - if a user is disabled in the IDP, is that somewhere registered in the IAM? 

-- If not, is there some best practise of how to make that happen?

@tiago on the best practice question: you can have a System Flow perform regular (f.e. weekly or nightly) checks on the Azure AD User records using the MS Graph API and set an End Date in IAM in case a User is disabled (and/or no longer existent) in Azure AD.

Sounds like a nice Thinkstore solution ;)

We’ll add it to the backlog ;)

Terms & ConditionsCookie settings