Skip to main content
  1. Project Insight Help Center
  2. Project Insight Guide
  3. SCIM Integration

How User Deletions Work With SCIM Provisioning in Microsoft Entra ID

Richard Gold

Overview

Project Insight supports user provisioning from Microsoft Entra ID using the SCIM 2.0 standard. When Entra ID provisions a user into Project Insight, it stores a persistent mapping between the Entra user and the SCIM user resource returned by Project Insight.

This article explains what happens when a user is deleted in Project Insight, why Entra ID continues referencing the old SCIM identifier, and what administrators must do if they want Entra ID to remap or reprovision the user.

How Project Insight Handles Deleted Users

Project Insight uses a soft‑delete model. When a user is deleted:

  • The user is removed from active use inside Project Insight
  • The user record still exists internally
  • The Project Insight SCIM API continues to return the user when Entra ID calls GET /Users/{id}
  • The SCIM response includes "active": false to indicate the user is disabled

This behavior is intentional and aligns with Microsoft’s recommended SCIM pattern for systems that support soft deletion.

Why Entra ID Continues Requesting the Old SCIM ID

When Entra ID provisions a user into Project Insight, it stores:

  • The SCIM id returned by Project Insight
  • The Entra user’s objectId
  • The attribute used for matching (e.g., userName, externalId)
  • The last known SCIM state

This mapping is stored in Entra ID’s provisioning cache and is not automatically updated or removed when a user is deleted in Project Insight.

Because Project Insight continues returning the soft‑deleted user (with "active": false"), Entra ID treats the SCIM ID as valid and will not attempt to reprovision or rematch the user.

This is expected behavior.

When You May Need to Restart Provisioning

Restarting provisioning is required if you want Entra ID to:

  • Provision a brand‑new user into Project Insight
  • Match the Entra user to a different existing user in Project Insight
  • Clear the old SCIM ID from its internal cache
  • Rebuild all mappings from scratch

Entra ID will not automatically forget or replace the SCIM ID it previously stored.

Restarting provisioning is the only supported method to force Entra ID to discard old mappings.

How to Restart Provisioning in Microsoft Entra ID

Restarting provisioning forces Entra ID to:

  • Clear all cached SCIM IDs
  • Rebuild its internal mapping table
  • Re-evaluate all users as if provisioning is running for the first time

Steps

  1. Sign in to the Azure portal 
    https://portal.azure.com
  2. Navigate to:
    Microsoft Entra ID → Enterprise applications
  3. Select the Project Insight enterprise application.
  4. In the left navigation, select Provisioning.
  5. At the top of the Provisioning blade, select Restart provisioning.
  6. Confirm the restart when prompted.

What Happens Next

  • Entra ID clears its provisioning cache
  • Entra ID re-queries your directory
  • Users are reprovisioned or rematched based on your current attribute mappings
  • Soft‑deleted users in Project Insight may be recreated if they are still in scope

Summary

  • Project Insight soft‑deletes users and continues returning them with "active": false
  • Entra ID retains the SCIM ID indefinitely
  • Entra ID will continue referencing the old SCIM ID even after deletion
  • If you want Entra ID to remap or reprovision a user, you must restart provisioning in the Azure portal

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk