Introduction
Occasionally, organizations encounter problems with group synchronization after a user account has been deleted or deactivated in Azure Active Directory (Entra ID).
These issues are often caused by soft deletion, a built-in Azure AD feature that temporarily retains deleted accounts.
This article explains what soft deletion is, how it affects synchronization with WorkOS, and what steps to take to restore affected users and their group memberships.
What Is Soft Deletion in Azure AD?
When a user is deleted in Azure AD, the account is not immediately removed. Instead, it enters a soft-deleted state for a limited retention period (typically 30 days).
During this time:
The account is marked as inactive but still exists in the directory.
Administrators can restore the account if it was deleted by mistake.
If no action is taken after the retention period, the account is permanently deleted.
This mechanism helps protect against accidental data loss but can have side effects when syncing data with external systems.
How Soft Deletion Affects Group Synchronization
When an account is soft-deleted, it is treated as inactive and is excluded from synchronization with external applications — including WorkOS and other SCIM-integrated systems.
As a result:
The user no longer appears in synchronization payloads.
Their group memberships are dropped or appear missing in connected apps.
Even if the account is later reactivated, WorkOS will not automatically restore their previous groups unless a full re-provisioning occurs.
Why This Happens
This behavior is by design. Synchronization tools (such as WorkOS) rely on Microsoft Graph API responses, which exclude inactive or soft-deleted users.
The intention is to prevent outdated or invalid data from being reintroduced into connected systems.
Because of this, a restored user’s memberships remain out of sync until a full provisioning reset is triggered.
Is This a Microsoft Limitation?
Yes. The exclusion of soft-deleted users from synchronization is a native Azure AD (Entra ID) behavior.
Soft deletion is built for recovery and safety — not continuous synchronization.
As long as an account is soft-deleted or in an inactive state, it will not be included in Graph API responses or SCIM provisioning updates.
How to Resolve Synchronization Issues
If you notice that a restored user’s group memberships are missing in WorkOS or another connected system, follow one of these resolution paths:
1. Restore the User Account
If the account still exists in the soft-deleted state:
Restore it directly from Azure AD (Entra ID → Deleted users → Restore user).
Once restored, restart provisioning for the WorkOS SCIM app in Azure to re-sync the account and its groups.
2. Restart SCIM Provisioning (Recommended for WorkOS)
If the account has already been restored in Azure but remains inactive in WorkOS:
Go to Entra ID → Enterprise Applications → WorkOS (SCIM app).
Select Provisioning.
Click Restart provisioning to trigger a full sync.
This forces Azure to re-send all user and group data, including previously inactive users.
3. Permanently Delete and Recreate the Account
If the account is no longer needed or cannot be restored:
Permanently delete it from Azure AD.
If necessary, recreate the user with the same details.
This ensures a clean synchronization on the next provisioning cycle.
Key Takeaways
Soft deletion temporarily disables synchronization for deleted users.
Restoring or recreating the account alone does not automatically re-add users to their groups in WorkOS.
Restarting provisioning in the Azure SCIM app reactivates the account and refreshes memberships.
This is expected behavior in Azure AD and WorkOS — not a system error.
For Further Assistance
If you continue to experience issues with user or group synchronization, contact your Azure AD administrator or WorkOS Support.
Proper handling of soft-deleted users and regular provisioning reviews help ensure consistent, reliable group synchronization across your integrated systems.