MichaelG.95342 (Customer) asked a question.
All of the results I have been able to muster are in the context of AD and forcing a full sync after changing OUs or deleting in AD... is there an equivalent to doing an AD sync that removes users when Federated with Okta? I know there's an early access feature that includes additional deprovisioning options - is this something I will need to wait for? Are these issues the very reason why this feature is coming?
Previously I would run Set-MsolUserPrincipalName to the tenant domain and this would change the user over to cloud managed after a short period. Now this does nothing (I have users who have been switched for weeks, still showing as "synced."). More recently I tried deleting and restoring a user in addition to making that change - this also has stopped working. The error is always in reference to AAD, but I haven't had luck finding anything useful there either.
Hello @MichaelG.95342 (Customer),
Thank you for posting.
Please check the following link with information related:
https://support.okta.com/help/s/article/Useful-Powershell-Commands-for-Managing-Your-Okta-Office365-Integration?language=en_US
Regards,
Natalia
Okta Inc.
Thank you, Natalia. Part of my issue is that the help article is no longer helpful for what I am trying to do as Microsoft made changes over the last few years since it was last updated (September 2018).
The ImmutableID, for instance, is no longer able to be updated via the MSOL commands. Removing the ImmutableID using the relevant AzureAD command doesn't work to break federation - and even doing that requires a workaround as removing the ImmutableID altogether is not considered a supported action. Changing the UserPrincipalName to the unfederated tenant domain no longer changes federation status. Deleting the user and restoring them also no longer makes the change. AzureAD continues to remember that the user was federated and seems to lock them by their unique object ID now.
As I mentioned, the posted first-party solutions to this problem revolve around AD and having AD report via synchronization the user is deleted. Can't do that with Okta as far as I know.