# idaas-sync

Part of **IDAAS**

<!-- intent-backlink:auto -->

> 💡 **Path Selection**: This skill is one implementation path for [Provision users from external identity provider](../../intent/idaas-provision-idp/SKILL.md). If you're unsure which path to take, check the routing skill first.

# IDaaS User Lifecycle and Synchronization Troubleshooting Guide

## Problem Index

| Problem | Symptom | Severity | Solution Summary |
|--------|---------|----------|------------------|
| User disabled in Entra ID remains active in IDaaS | User account is disabled in Microsoft Entra ID but still active in IDaaS after sync cycle | High | Ensure SCIM provisioning is enabled and attribute mapping includes `active` status |
| Deleted user in Entra ID not removed from IDaaS | User deleted in Microsoft Entra ID still appears in IDaaS user list | High | Verify SCIM `/Users` DELETE request is sent and processed; check recycle bin settings |
| Sync delay or missed updates | Changes in Entra ID take longer than expected to reflect in IDaaS | Medium | Confirm sync cycle interval and check for throttling or network issues |

## Problem Details

### Problem 1: User disabled in Entra ID remains active in IDaaS

**Symptoms**
- Error message: None (silent failure)
- Behavior: A user account is disabled in Microsoft Entra ID, but the corresponding account in IDaaS remains active after one or more sync cycles
- Context: Occurs during regular user lifecycle management when disabling accounts for offboarding

**Root Cause**
- The SCIM provisioning configuration does not include the `active` attribute in the attribute mapping
- The IDaaS SCIM endpoint does not process the `active=false` value correctly
- Provisioning is paused or misconfigured in the Entra ID app registration

**Solution**
1. In the portal, navigate to **Enterprise Applications > [Your IDaaS App] > Provisioning**
2. Under **Mappings**, select the **Synchronize Active Directory Users to [IDaaS]** mapping
3. Ensure the **active** attribute is mapped from `userAccountControl` or equivalent source attribute:
   ```json
   {
     "sourceAttributeName": "userAccountControl",
     "targetAttributeName": "active",
     "defaultValue": null
   }
   ```
4. If using a custom expression, confirm it evaluates to `false` when the account is disabled
5. Save the mapping and restart the provisioning job

**Verification**
- Disable a test user in Entra ID
- Wait for the next sync cycle (or trigger manually)
- Check the user’s status in IDaaS — it should show as inactive
- Use the IDaaS admin console or API to confirm `active: false`

### Problem 2: Deleted user in Entra ID not removed from IDaaS

**Symptoms**
- Error message: None (silent failure)
- Behavior: A user deleted from Microsoft Entra ID still appears in the IDaaS user directory
- Context: Happens during user offboarding when expecting automatic cleanup via SCIM

**Root Cause**
- The SCIM client in Entra ID is not configured to send `DELETE /Users/{id}` requests
- IDaaS is configured to retain deleted users in a recycle bin instead of hard-deleting
- The user was soft-deleted in Entra ID but not permanently removed (still in “Deleted users”)

**Solution**
1. In portal, go to **Active Directory > Users > Deleted users**
2. Permanently delete the user (not just soft-delete):
   ```bash
   # Using Microsoft Graph PowerShell
   Remove-MgUser -UserId "user@example.com" -Confirm:$false
   ```
3. In the Entra ID app provisioning settings, ensure **Delete users during deprovisioning** is enabled
4. In IDaaS, check if a recycle bin or soft-delete policy is active; if so, purge or disable it per organizational policy

**Verification**
- Delete a test user permanently in Entra ID
- Wait for the next provisioning cycle
- Confirm the user no longer appears in the IDaaS user list via UI or API:
   ```bash
   curl -H "Authorization: Bearer <token>" https://idaas.example.com/scim/Users?filter=userName eq "testuser"
   # Expected: empty Resources array
   ```

### Problem 3: Sync delay or missed updates

**Symptoms**
- Error message: None
- Behavior: Changes made in Entra ID (e.g., group membership, status) take hours to appear in IDaaS or never appear
- Context: Common in environments with large user bases or custom sync intervals

**Root Cause**
- Default sync cycle is set to a long interval (e.g., every 40 minutes)
- Network latency or firewall blocks outbound SCIM requests from Entra ID
- Throttling by IDaaS due to high request volume

**Solution**
1. In portal, go to **Enterprise Applications > [Your IDaaS App] > Provisioning**
2. Set **Synchronization frequency** to a shorter interval (minimum 5 minutes):
   - Click **Edit schedule** and choose “Sync every 5 minutes”
3. Ensure the IDaaS SCIM endpoint is publicly reachable and returns `200 OK` within 10 seconds
4. Monitor the **Provisioning logs** in for skipped or failed operations

**Verification**
- Make a test change (e.g., update display name) in Entra ID
- Trigger an on-demand sync via **Restart provisioning** in - Check IDaaS within 5–10 minutes to confirm the update
- Review provisioning logs for successful `Update` or `Create` events

## FAQ

**Q: How do I check if SCIM provisioning is working correctly?**  
A: In the portal, go to your IDaaS enterprise app > Provisioning > **Provisioning logs**. Look for recent `Create`, `Update`, or `Delete` operations with status `Success`. Failed operations will show error details.

**Q: What permissions are required in Entra ID to manage provisioning?**  
A: You need **Global Administrator** or **Cloud Application Administrator** role in Entra ID to configure and monitor provisioning for enterprise applications.

**Q: Why doesn’t disabling a user in Entra ID deactivate them in IDaaS immediately?**  
A: Deactivation depends on correct attribute mapping of the `active` SCIM attribute and a completed sync cycle. Ensure the mapping exists and the provisioning job is running.

**Q: Can I force a sync without waiting for the scheduled cycle?**  
A: Yes. In the portal, under your app’s Provisioning blade, click **Restart provisioning** to trigger an immediate sync cycle.

**Q: Where can I find the SCIM endpoint URL and token for IDaaS?**  
A: These are typically provided in the IDaaS admin console under **Integrations > SCIM Provisioning**. The endpoint follows the pattern `https://<tenant>.idaas.example.com/scim/v2/`.