Azure Entra ID SCIM User Deprovisioning
Last updated: April 13, 2026
Problem
When users are removed from SCIM groups in Azure Entra ID, they lose their workspace and role assignments but remain as "Active" members in the LangSmith organization. Admins expect full deprovisioning but get partial removal — users linger in the org members list with no workspace.
This is expected behavior for group removal The actual fix for full deprovisioning is to deactivate or delete the user in the IdP, not just remove them from groups.
Fix: Add deprovisioning behavior section
SCIM deprovisioning behavior
Action in IdP | Effect in LangSmith |
Remove user from a SCIM group | Workspace and role removed. User stays active in org. |
Unassign user from the application | User marked disabled. Loses all access. |
Deactivate (soft-delete) user in IdP | User marked disabled in LangSmith. |
Hard-delete user in IdP | User fully removed from LangSmith org. |
Removing a user from a SCIM group only affects their workspace membership. It does **not** disable or delete the user from the organization. To fully revoke access, deactivate or delete the user in your IdP, or unassign them from the LangSmith application.
To fully deprovision a user
Remove the user from all LangSmith SCIM groups in your IdP (removes workspace/role assignments).
Unassign the user from the LangSmith application in your IdP, or deactivate/delete them in the IdP (disables or removes them from the org).
Wait for the next provisioning cycle (~40 min for Azure Entra ID), or trigger on-demand sync.
Verify in LangSmith Settings > Organization members.
Required config for deactivation
Ensure active is mapped to Not([IsSoftDeleted]) in User Attribute Mappings. Without this, deactivation PATCH requests won't be processed.
Ensure Target Object Actions includes Update (for deactivation) and Delete (for hard-deletion), not just Create.