I've just seen the following behavior:
I have set a person to isInActive, so it looses all the assigned groups on AD and AAD Accounts.
On the AAD Account there are some cloud only groups and some hybrid groups (coming from on prem AD) assigned.
So, it makes sense, that the cloud only groups are removed from the AAD account.
But the hybrid Groups (AADGroup.OnPremisesSyncEnabled = true) are managed over on prem AD and AAD Connect. So there shouldn't be any provisioning directly to AAD.
Now I'm wondering how I should handle this situation.
- Should I prevent that AADUserInGroup could be deleted at all, if it is not the "Synchronization" User performing that action?
- Should I do some special SyncProject Configuration? (having a schema on OIM side, that excludes that hybrid groups, ...)
- Any other approach?
I consider this problem as a quite common one, and I'm wondering that OIM is trying to maintain members for hybrid groups at all, since this would be never successful .
