I'm running the latest greatest Azure Driver and I'm having serious issues with the default behaviour of Azure AD and missing functionality within the Driver Shim.
When you delete a User object via the Driver Shim, that object is not permanently deleted. By default, that object will be in a recycle bin for 30 days within Azure.
The problem is that whenever the User gets entitled again for Azure AD within those 30 days the Matching Rule does not find the User object, because the Shim uses only the REST method "List users", which does not return deleted items. The Driver therefore assumes it should push an add event. This results in an error from Azure AD as the immutableID already exists within Azure AD.
The fact that the Driver does not uses the REST method for listing "Deleted Items" breaks the matching for deleted user objects. Note that my example is about User objects: the same applies to Group objects within Azure AD.
To summarize: please make the Azure AD Driver Shim aware of deleted items within Azure AD. The GRAPH api methods are already provided by Microsoft to support the querying and purging of deleted items:
https://docs.microsoft.com/en-us/graph/api/resources/directory?view=graph-rest-1.0
Thanks!
by: Sebastiaan V. | over a year ago | Other
Comments
It would be nice if you could configure the Driver to:
- Purge Deleted items directly (yes/ no)
- Restore Deleted items upon match