Suspended accounts when an AD group accidentally gets deleted
Hi,
We are rolling out 1Password Business to around 140 via a SCIM bridge using Docker and AAD. Due to an issue with syncing on-premise AD groups and AAD a few AD groups were deleted that were already synced with 1Password. The users of these group were suspended and their devices deactivated.
I wanted to check what happens to their private vault items once the AD groups are synced again via the 1Password Enterprise application?
On a related note, is there a reason why groups are not being synced to 1Password however the users within them are?
Thanks in advance!
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Hello,
In these cases, we've purposefully made it so the SCIM bridge only suspends users. This means that when they are re-provisioned through your Azure Active Directory, the users should be reactivated with all of their previous data intact and available to them. This is in contrast to a deletion in which the users are permanently deleted, which is a manual action you can only perform through the 1Password administrator console.
For group memberships, there are a few things that can affect how groups are synced with AAD, the most important piece being that SCIM provisioning can only be made aware of Security Groups. This is a requirement of Azure rather than one of our bridge. I would ensure that the group type is Security Group, but if that's already the case, please let me know and we can investigate further.
0 -
Thanks for the reply. It's reassuring that data is not lost even if a user is removed from a group accidentally or a group goes missing. How long is the account and data suspended/stored for? If the account is deleted in AD how does that affect the user in 1Password?
0 -
Hey @1PBusinessUser,
The suspended users are kept until you delete them. Their data remains until you delete them. We will never delete your data for you.
If the account is deleted in AD, that will not affect the suspended 1Password user. In the eyes of AD, they have already told us to delete the user (telling us to set
active:false
or sending us aDELETE /User
request) and so no further action is taken on their part.On our end, the user remains suspended until either you delete the user, or we get a reactivation request from AD via an
active:true
request or a newCREATE /User
request with the same email. In the latter case, we just reactivate the existing suspended user rather than creating a duplicate.Graham
0