This article will discuss the steps to troubleshoot the issue where the app user deprovisioning event stopped triggering after a recent app assignment removal in an app provisioning/deprovisioning-enabled application.
Okta Admin user may run Okta system log report query by:
target.id eq "{ApplicationId}" and target.type eq "AppInstance" and (eventType eq "application.user_membership.remove" OR eventType eq "application.provision.user.deactivate" OR eventType eq "application.provision.user.deprovision")
And noticed difference behavior
Old behavior (app user deprovisioning successfully upon app assignment removal):
New behavior (app user deprovisioning did not get trigger upon app assignment removal):
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Okta Integration Network (OIN)
- Provisioning
How is the Deactivate Users setting verified and enabled?
Verify the application configuration in the Okta Admin Console to ensure users are deactivated upon assignment removal.
- Navigate to the Okta Admin Console.
- Go to Applications > Applications and select the application.
- Select the Provisioning tab and choose To App in the left settings menu.
- Select Edit and ensure the Deactivate Users checkbox is selected.
- Select Save.
Verify the System Log for configuration changes.
Search the System Log to determine if an administrator manually disabled the deprovisioning feature before the assignment removal.
- Go to Reports > System Log.
- Enter the following query to find events where deprovisioning was stopped:
target.id eq "<ApplicationId>" and target.type eq "AppInstance" and eventType eq "application.lifecycle.update" and debugContext.debugData.customMessage eq "Stop deprovisioning unassigned users"
- Enter the following query to find events where deprovisioning was started:
target.id eq "<ApplicationId>" and target.type eq "AppInstance" and eventType eq "application.lifecycle.update" and debugContext.debugData.customMessage eq "Deprovisioning unassigned users"
- Compare the timestamp of the application assignment removal against the start or stop deprovisioning events. If the assignment was removed after the feature was disabled, Okta functions as expected by not triggering the deprovisioning event.
How is a missing external ID resolved?
If the initial provisioning fails, the user lacks an external ID, which prevents Okta from sending deprovisioning requests. Open a support ticket with Okta Support to verify this root cause.
- Gather the impacted Okta username, the application username, and the timestamp of the application assignment removal.
- Open a support ticket with Okta Support and provide the gathered information for further investigation.
