[Azure SCIM] User removed from group in azure not deleted from Sentry when identity is not linked. #85832
Description
Environment
SaaS (https://sentry.io/)
Steps to Reproduce
- Integrate SSO with Azure in Sentry
- Configure SCIM provisioning
- Add users to an Azure group and provision them to Sentry.
- The user gets invited to Sentry and added to the correct team.
- Remove the user from the group without the user having an Azure identity linked to the Sentry user.
Expected Result
The user is removed from the team and from Sentry (if not a member of any other group assigned to Sentry in Azure) as per the documentation:
As a result of these changes, users who are assigned will be sent an invitation email. When a user is un-assigned, their membership object in Sentry will be deleted.
Actual Result
The user remains unchanged in Sentry.
This seems to happen when a user is a Member of the organisation but has no Azure identity linked. The SCIM provisioning settings are set to delete users in Sentry. It is confirmed that the user is not assigned to a provisioned group (screenshot below).
The team settings in Sentry show the user's membership controlled by SCIM, it is not possible to manually remove the user from the Team, it can only be done via SCIM.
Information on the affected user and organisation is available in the internal ticket: https://sentry.zendesk.com/agent/tickets/145754
Relevant screenshots:
Product Area
Settings - Auth
Link
No response
DSN
No response
Version
No response