Deprovision/Delete user when user is deleted/blocked in Azure AD

Help
1

Hi,

We have been a bit frustrated by using Auth0 as after building the solution we have come to know from the docs and community forms that Auth0 provides no support for deprovisioning/blocking users if they are blocked/deleted in identity provider(Azure AD in our case).

Handling it ourself i.e. in a rule is also not simple as

  1. It adds a lot of latency
  2. If the user doesn’t come to our site, how do we know that he has been deleted/blocked in the source system.

Some other issues are

  1. While returning a new access token for refresh token, Auth0 doesn’t check in the source system, if the user is still active or not
  2. The only simple way is to keep the refresh token time a bit less so that the user is redirected to Azure AD and his status could be checked if he is active or not, and this is not at all a good user experience for end-user.

We are now thinking to remove Auth0 and switch to some other provider.

Regards,
Robin

1 Like
2

Hello @RobinNagpal,

If the user is blocked / disabled in the source system, then the user won’t be able to authenticate. The user may still have a profile in Auth0 but without the ability to actually log in.

It is true that Auth0 does not proactively check connected IdP systems for user state. Auth0 is a SaaS app … the processing power required to do this for every customer and every connected IdP would be astronomical. It is up to the client to delete the associated Auth0 profile if that is desired.

When a user is deleted or blocked in a source system there needs to be an intermediary service that replicates the change in Auth0, revokes refresh tokens, etc. This could be as simple as a custom cron job or as complicated as a full blown IGA solution.