Summary
During the initial provisioning of users from Azure AD, a system imports disabled user accounts as active. This results in unnecessary license consumption and extra administrative work.
Applies To
Druva InSync User Provisioning via Azure AD (Entra ID)
All versions that support Azure AD integration and user mapping
Issue / Problem Description
When users are provisioned from Azure AD using group mappings, druva InSync imports all users, including those who are disabled in Azure AD, as active. The system's initial import process doesn't check the user's status. While subsequent status changes (e.g., disabling an account) are correctly synced, users that were already disabled before the initial sync remain active in druva]. This is because the incremental sync, which uses delta tokens, only captures changes that happen after the initial import. Consequently, these disabled users unnecessarily consume licenses and are included in backup operations.
Cause
The root cause is a limitation in the initial user import and sync process. The system does not validate the enabled/disabled status of users at the time of the first import. The incremental sync relies on change events from Azure AD, which are not triggered for users whose status was already disabled prior to the initial connection.
Resolution / Workaround
Workaround Options:
Pre-filter Users Before Import: Adjust your Azure AD group mappings to only include active, licensed users before starting the provisioning process.
Manual Cleanup Post-Import: After the initial import is complete, manually identify and remove any disabled or non-licensed users directly within [Product Name].
Re-import with Correct Mapping: If the issue is widespread, you can delete all users from druva InSyncand then re-import them using a refined group mapping that excludes disabled accounts.
Additional Notes
This behavior can lead to increased license costs and administrative inefficiencies.
Organizations with frequent user status changes should regularly audit their user list in druva InSync to ensure it remains in sync with Azure AD.
A feature enhancement request can be submitted to support for an automated filter that would exclude disabled users during the initial provisioning process.