Microsoft Entra · Arazzo Workflow

Microsoft Entra Deprovision User

Version 1.0.0

Disable a user account, then delete the user from the directory.

1 workflow 1 source API 1 provider
View Spec View on GitHub Access ManagementAuthenticationAzure ADEntraIdentityIdentity GovernanceMicrosoftNetwork SecuritySecurityZero TrustArazzoWorkflows

Provider

microsoft-entra

Workflows

deprovision-user
Disable a user account then delete it (soft-delete to deletedItems).
Sets accountEnabled to false to block sign-in, then deletes the user object, moving it to the recoverable deletedItems container.
2 steps inputs: accessToken, userId outputs: deleteStatus, disableStatus
1
disableUser
updateUser
Disable the account by setting accountEnabled to false. Returns 204 with no body.
2
deleteUser
deleteUser
Delete the user object, moving it to the deletedItems container for possible restore within 30 days.

Source API Descriptions

openapi
graphIdentityApi https://raw.githubusercontent.com/api-evangelist/microsoft-entra/refs/heads/main/openapi/microsoft-entra-graph-identity-openapi.yml

Arazzo Workflow Specification

microsoft-entra-deprovision-user-workflow.yml Raw ↑ 
arazzo: 1.0.1
info:
  title: Microsoft Entra Deprovision User
  summary: Disable a user account, then delete the user from the directory.
  description: >-
    Safely deprovisions a user in Microsoft Entra ID by first patching the
    account to set accountEnabled to false (immediately blocking sign-in) and
    then deleting the user object, which moves it to the deletedItems container
    where it can be restored within 30 days. Disabling before deleting ensures
    access is revoked even if the delete is delayed. Every request is inlined so
    the chain reads end to end.
  version: 1.0.0
sourceDescriptions:
- name: graphIdentityApi
  url: ../openapi/microsoft-entra-graph-identity-openapi.yml
  type: openapi
workflows:
- workflowId: deprovision-user
  summary: Disable a user account then delete it (soft-delete to deletedItems).
  description: >-
    Sets accountEnabled to false to block sign-in, then deletes the user
    object, moving it to the recoverable deletedItems container.
  inputs:
    type: object
    required:
    - accessToken
    - userId
    properties:
      accessToken:
        type: string
        description: OAuth 2.0 bearer token with User.ReadWrite.All.
      userId:
        type: string
        description: Object id or userPrincipalName of the user to deprovision.
  steps:
  - stepId: disableUser
    description: >-
      Disable the account by setting accountEnabled to false. Returns 204 with
      no body.
    operationId: updateUser
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    - name: user-id
      in: path
      value: $inputs.userId
    requestBody:
      contentType: application/json
      payload:
        accountEnabled: false
    successCriteria:
    - condition: $statusCode == 204
    outputs:
      disableStatus: $statusCode
  - stepId: deleteUser
    description: >-
      Delete the user object, moving it to the deletedItems container for
      possible restore within 30 days.
    operationId: deleteUser
    parameters:
    - name: Authorization
      in: header
      value: "Bearer $inputs.accessToken"
    - name: user-id
      in: path
      value: $inputs.userId
    successCriteria:
    - condition: $statusCode == 204
    outputs:
      deleteStatus: $statusCode
  outputs:
    disableStatus: $steps.disableUser.outputs.disableStatus
    deleteStatus: $steps.deleteUser.outputs.deleteStatus