auto remove auto-provisioned groups + users?

Community Member


I just created a scim bridge with azure container and while i was testing i noticed the following:

If i create a group (test group) and add users to the group it nicely add the group + user to 1password. so the scim bridge is working.

When i disable a user in azure that is a member of the test group the user get suspended in 1password.

When i remove the user from the test group the user is still suspended in 1password.
When i remove the group from the azure provisioning page the group is also still visible in 1password.

Is it possible to let auto provisioning also delete the user / groups that i remove from azure?
Now after a colleague is leaving the company i still manually need to remove the user from 1password.

i know when i disable auto-provisioning in 1password i can manually remove the users that was created. But if it is possible i like auto-provisioning to do this for me.

1Password Version: 8.10.30
Extension Version: 2.22.1
OS Version: windows
Browser: Firefox


  • EWals
    Community Member
    edited April 11

    Little update:
    I needed to be more patience for the group to get removed.
    The group that got provisioned got removed after a while.

    Manually restarting the provisioning didn't do the trick for the group.
    I checked back after a few hours and the group got removed.

    The user is still suspended and visible in the people tab.
    Will the user also get deleted after a period of time or does this need to be done manually?
    If it get deleted automatically how long does this take?

  • Hi @EWals

    Thanks for reaching out.
    Great question!

    Your 1Password SCIM Bridge should never be able to Delete an account; if a user is deleted, suspended or removed from provisioned groups in your Azure AD, those users should be put into a Suspended state in their 1Password account. You may delete such users manually as needed.

    However the unique situation where a SCIM bridge will Delete a user, is if a user was manually invited through 1Password (without a SCIM bridge) and an Admin never confirmed them before the SCIM bridge made a match on the e-mail address, your SCIM bridge would then Delete the account if the user was Suspended from the IdP side. That scenario would be rare and unlikely in your situation.

    You're correct about the wait time of Azure AD as takes approx 40 minute provisioning cycle. To circumvent the 40-minute wait time that Azure AD imposes on 1Password Enterprise application, it has a option called "Provision on demand". You can use it to test or assign a user and immediately view the outcome.

    Let me now if you have additional questions.