I’ve set up 2 seperate Enterprise Applications in EntraID, one for Azure OIDC and one for SCIM as per Inbound SCIM for New Azure AD Connections
If the user is removed from the SCIM app they’ll no longer have a role in my app but they’ll still have access through OIDC. Is there a way to couple these two processes, or do I just really on the user being authenticated but not authorised? The deprovisioned users will always hang around in my Auth0 tenant right as OIDC has no way to remove users?
Hi @swarner1033
Thank you for reaching out to us!
Reading through your use-case, I would advise to rely on SCIM provisioning for blocking/deactivating users in Auth0 and removing their access, which should prove as a reliable method of managing the user’s lifecycle.
This can be achieved by using the Blocked attribute behavior. When the SCIM active attribute is mapped to the blocked attribute in Auth0 and contains a value of either true or false, Auth0 will reverse the value and set it to the user’s blocked attribute. If the active attribute is set to false, then the Auth0’s user attributed blocked will be set as true. This should prevent the user from logging in and having access.
If you happen to encounter issues along the way, please take a moment to read through our documentation on Blocked Users in Azure AD are not Blocked in Auth0 when Using SCIM, which covers a know issue for this flow to not work as expected.
Hope this helped, let me know if this worked for you!
Best regards,
Gerald
Just to clarify: this means the user will still exist in the tenant, they’re just blocked?
Hi @swarner1033
That is correct, the users will remain on your tenant in a blocked state. With further implementation, it would be possible to make a call to the Delete a User endpoint and apply logic in order to delete users blocked for X amount of time.
Hope this helped!
Gerald
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.