i1rba (i1rba) asked a question.
Hello, we have our master in AD and we import users in OKTA. I am wondering which is the best way to manage leavers; actually what we do (I inherited this from the previous IT manager) is 1) we remove some attributes from AD 2) we disable the user in AD 3) we trigger a full import so the user becomes "deactivated" also in OKTA. Please note that we do not delete users in AD. At this point the user is deprovisioned from assigned applications, and it's good. About groups, since some of them rely on rules that rely on user attributes, removing some attributes at point 1) causes the user to go out from certain groups, but for static assignments and other kind of groups the user is still in the groups and I would not have it, since it's not clean and also the group count is wrong since it includes also disabled users.
This is also connected to 3rd party applications like O365: actually we do not delete users neither from there (we could not, they are linked to AD) but when they leave we convert them in shared mailboxes and the users are still in O365 unlicensed. We will have soon Salesforce and there we say the deprovisioning would be even different. Summarizing, what's your strategy?
Hi Mauro,
We have several different approaches that could be leveraged (2 are listed here). When users are deactivated in Okta manual deprovision tasks are created in the Dashboard > Tasks to resolve that are not automatically completed. You could potentially leverage Automation as well to delete users after (x) time of inactivity. To assist you further, please open a support case.