Problem statement
I noticed that Users in Auth0 still include the AD users that are no longer in our Active Directory. The user was removed from our Active Directory, but I still see the account in Auth0. What is needed to make sure Users in Auth0 sync with Active Directory?
Cause
This is expected as per the current design. Deleting the user on an external identity provider is not reflected on the Auth0 user list.
Solution
Because of this, the user will be able to use existing Auth0 sessions until they expire, and then Auth0 is forced to reach out to the external IdP to authenticate the user. With AD/LDAP connections, there’s the added risk of the connector being down and Auth0 using the cache, so a user could potentially log in if:
- The connector is down
- The user credentials are cached from a previous login
So depending on your security requisites, it might be better to delete the user in Auth0 as well.