Skip to main content

How does the deactivation of users imported from Microsoft Entra ID (Azure AD) work?

  • Updated

SMARTFENSE allows controlling the status of users imported from Microsoft Entra ID through two independent settings: user status and handling of deleted users.

Where is it configured?

These options are found in the integration with Microsoft Entra ID, within the user configuration section. 

In the Users and Groups section > Import and Synchronization > From Microsoft Entra ID > Save to access the configuration

Important: you must have selected the option: "Synchronize periodically every day at 1:00 AM local time" for users to be updated daily

User status

Available options:

  • Use the status defined in SMARTFENSE
  • Reflect the user status in Microsoft Entra ID within SMARTFENSE

How does it work?

If selected:

Reflect the user status in Microsoft Entra ID within SMARTFENSE

  • The user status is synchronized according to the accountEnabled attribute from Microsoft Entra ID
  • If the user is deactivated in Entra ID → they are also deactivated in SMARTFENSE
  • This applies to users within the scope of the import (for example, imported groups

Users deleted in Microsoft Entra ID

Available options:

  • Keep unchanged in SMARTFENSE users who are deleted in Microsoft Entra ID
  • Deactivate in SMARTFENSE users who are deleted in Microsoft Entra ID

How does it work?

If selected:

Deactivate in SMARTFENSE users who are deleted in Microsoft Entra ID

  • SMARTFENSE queries an API that returns users deleted in the last 30 days
  • If any of those users exist on the platform → they will be automatically deactivated
  • This option is independent from the status configuration (accountEnabled)
  • It does not depend on the configured import filters

Common case

If a user is removed from the group being imported but is not deleted from Microsoft Entra ID:

  • The user will remain active in SMARTFENSE
  • They will not be automatically deactivated

This is because:

  • They are no longer within the scope of the import, no longer belong to the imported groups
  • But they were neither deleted nor deactivated in Entra ID

Key differences

  • User status (accountEnabled)
    • Depends on import filters
    • Reflects activations/deactivations
  • Deleted users
    • Does not depend on filters
    • Detects recent deletions (up to 30 days)
    • Allows automatic user deactivation

Considerations

  • Both settings operate independently
  • It is recommended to evaluate both according to the user management policy
  • Changes are applied on each synchronization

💡 Best practices

  • Use the reflect status option to maintain consistency with groups imported from Microsoft Entra ID
  • Enable deactivation of deleted users to keep the database updated with users deleted from Microsoft Entra ID

Related articles