AzureAD Provisioning - prevent user deletion
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-02-2023 05:17 AM
Hi,
I'm looking into leveraging the AzureAD User Provisioning (already using the AAD SSO for login).
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/servicenow-provisioning-tutorial
The one thing that concerns me the most is that users would get automatically deleted, which I don't like and AFAIK isn't the best practice for SN (breaking incidents history, making things look ugly and so on).
Maybe I misinterpret the documentation and the user doesn't get really deleted in the end?
Right now I'm provisioning users via LDAP and have a script running post user import which if it finds that a user is missing (removed from AD but still in SN) it will clear the users email, groups, roles, rename the id with a DEL_ suffix, disable and lock the account.
Is it possible to set up such a script while using the AAD provisioning?
Any guidance would be highly appreciated!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2023 11:59 PM
It may be that the active field in sys_user table is mapped incorrectly in AzureAD. What is the mapping you see in AzureAD for active field?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-21-2023 04:53 AM
I'm not using the integration right now, so it's not a matter of something working incorrectly.
I'm trying to understand how things get handled via the integration, and from what I found I understood that accounts that get deleted from AAD will get deleted from Service-Now.
There is not much information about this, or I'm failing to find a detailed description how various scenarios are handled (creating, modifying, disabling, removing users from AAD).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-24-2023 11:17 PM
It is a good practice not to delete the user records in ServiceNow. When you setup the field mapping in AzureAD, the expression Switch([IsSoftDeleted],,"False","1","True","0") will be auto-mapped against the user_name field in ServiceNow. This will ensure that deletion, account locking, user removal from scope or app results in the corresponding user ID disabled in ServiceNow but not deleted.
If my answer has solved your query, please mark helpful and correct answer.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-24-2023 11:39 PM
This was an answer I was looking for since the docs are saying that the integration can delete the users:
Is your information somewhere in docs or did you dig that out of the scripts/br/other involved elements?
