Skip to content
English
Sign in
  • There are no suggestions because the search field is empty.

Training Platform - How do I deactivate SCIM-provisioned users (SCIM Deprovisioning)?

For users provisioned via SCIM, the Identity Provider (IdP) is the source of truth. Users must be deactivated in the IdP so Living Security can receive the update and mark the user as inactive (active = false).


Here are how various SCIM providers trigger deactivation.

  1. Okta
  2. Microsoft Entra ID (Azure AD)
  3. OneLogin
  4. Google Workspace SCIM
  5. Key Notes

Okta (Identity Provider)

For users provisioned via Okta SCIM, deactivation must be initiated in Okta.

Option 1: Unassign the user from the Living Security app (recommended)

  1. In Okta, navigate to the Living Security application.

  2. Go to Assignments.

  3. Remove (unassign) the user from the application.

Unassigning the user sends a SCIM update that sets the user to inactive (active = false) in Living Security.

Option 2: Deactivate the user in Okta

  1. Deactivate the user at the Okta directory level.

This option requires Deactivate Users to be enabled under

View OKTA support articles for most update to information
Applications → Living Security → Provisioning → To App.

Microsoft Entra ID (Azure AD)

For users provisioned via Microsoft Entra ID (Azure AD), deactivation must be initiated in Entra.

Option 1: Remove the user from the Living Security enterprise application (recommended)

  1. In Entra ID, open Enterprise Applications → Living Security.

  2. Go to Users and groups.

  3. Remove the user assignment.

Removing the assignment sends a SCIM update that sets the user to inactive (active = false) in Living Security.

Option 2: Disable the user in Entra ID

  1. Disable the user account in Entra ID.

This works only if Disable Account / Provisioning Status is configured to push deactivations in the SCIM provisioning settings.

View MS Entra ID support articles for most update to information

OneLogin

For users provisioned via OneLogin SCIM, deactivation must be initiated in OneLogin.

Option 1: Unassign the user from the Living Security app (recommended)

  1. Open the Living Security application in OneLogin.

  2. Remove the user from the app assignment.

This sends a SCIM update marking the user as inactive (active = false).

Option 2: Disable the user in OneLogin

  1. Disable the user at the directory level.

This triggers a SCIM deactivation only if user deprovisioning is enabled for the app.

View OneLogin support articles for most update to information

Google Workspace

For users provisioned via Google Workspace SCIM, deactivation must be initiated in Google.

Option 1: Remove the user from the Living Security SCIM app (recommended)

  1. In Google Admin, open Apps → Web and mobile apps → Living Security.

  2. Remove the user assignment.

This sends a SCIM update setting the user to inactive (active = false).

Option 2: Suspend the user account

  1. Suspend the user in Google Workspace.

Suspension may trigger deactivation depending on the SCIM configuration, but removing app access is the most reliable method.

View Google Workspace support articles for most update to information

Key Notes (Applies to All SCIM Providers)

  • SCIM deactivation sets active = false; users are not deleted.

  • Manual deactivation in Living Security will not persist if SCIM is enabled.

  • Removing the user from the app assignment is the most reliable and consistent method across all IdPs.

  • If a user does not deactivate as expected, confirm:

    • SCIM provisioning is enabled

    • Deactivation/deprovisioning is allowed in the IdP app settings

    • The user was originally created via SCIM (not manually)