SMARTFENSE allows controlling the status of users imported from Microsoft Entra ID through two independent settings: user status and handling of deleted users.
Where is it configured?
These options are found in the integration with Microsoft Entra ID, within the user configuration section.
In the Users and Groups section > Import and Synchronization > From Microsoft Entra ID > Save to access the configuration
| Important: you must have selected the option: "Synchronize periodically every day at 1:00 AM local time" for users to be updated daily |
User status
Available options:
- Use the status defined in SMARTFENSE
- Reflect the user status in Microsoft Entra ID within SMARTFENSE
How does it work?
If selected:
Reflect the user status in Microsoft Entra ID within SMARTFENSE
- The user status is synchronized according to the accountEnabled attribute from Microsoft Entra ID
- If the user is deactivated in Entra ID → they are also deactivated in SMARTFENSE
- This applies to users within the scope of the import (for example, imported groups
Users deleted in Microsoft Entra ID
Available options:
- Keep unchanged in SMARTFENSE users who are deleted in Microsoft Entra ID
- Deactivate in SMARTFENSE users who are deleted in Microsoft Entra ID
How does it work?
If selected:
Deactivate in SMARTFENSE users who are deleted in Microsoft Entra ID
- SMARTFENSE queries an API that returns users deleted in the last 30 days
- If any of those users exist on the platform → they will be automatically deactivated
- This option is independent from the status configuration (accountEnabled)
- It does not depend on the configured import filters
Common case
If a user is removed from the group being imported but is not deleted from Microsoft Entra ID:
- The user will remain active in SMARTFENSE
- They will not be automatically deactivated
This is because:
- They are no longer within the scope of the import, no longer belong to the imported groups
- But they were neither deleted nor deactivated in Entra ID
Key differences
- User status (accountEnabled)
- Depends on import filters
- Reflects activations/deactivations
- Deleted users
- Does not depend on filters
- Detects recent deletions (up to 30 days)
- Allows automatic user deactivation
Considerations
- Both settings operate independently
- It is recommended to evaluate both according to the user management policy
- Changes are applied on each synchronization
💡 Best practices
- Use the reflect status option to maintain consistency with groups imported from Microsoft Entra ID
- Enable deactivation of deleted users to keep the database updated with users deleted from Microsoft Entra ID