To add, edit, or delete provisioned users, you make the changes in your identity provider, and the provisioning app automatically pushes the updates to VMware Identity Services. How long it takes for the updates to appear depends on the provisioning interval of the provisioning app.

Some identity providers have a provision on demand option that lets you push users immediately. For example, in Azure AD you can use the Provision on demand option on the Provisioning page.

Add a New User

  1. In your identity provider, create a new user.
  2. In the user profile, add values for all the user attributes required by VMware Identity Services and Workspace ONE services.

    See User Attribute Mapping for VMware Identity Services for the list of required attributes.

  3. Add the user to the provisioning app that provisions users and groups to VMware Identity Services.

The provisioning app pushes the new user to VMware Identity Services after the provisioning interval. If you want to push the user immediately, use the provision on demand option in the identity provider.

Edit a User

To edit a user, update the user profile in your identity provider. The provisioning app pushes updates to VMware Identity Services after the provisioning interval.

Note:
  • VMware Identity Services does not support updating a user's externalId value after the user is provisioned. To update a user's externalId value, you must delete and reprovision the user from the identity provider.
  • In Azure AD, when you delete a user or group attribute value that was already synced to VMware Identity Services, the value is not deleted in VMware Identity Services and Workspace ONE services. Azure AD does not propagate null values.

    As a workaround, instead of clearing the value completely, enter a space character.

  • If you update attribute mappings in the identity provider after users have been provisioned, restart provisioning. In Azure AD, the Restart provisioning option appears on the Manage > Provisioning page.

Delete a User

To delete a user, delete the user in the identity provider. The provisioning app pushes updates to VMware Identity Services after the provisioning interval.

Based on how the identity provider handles deleted users, VMware Identity Services either deletes or deactivates the user.

  • If the identity provider deletes the user immediately, the user is deleted in VMware Identity Services and Workspace ONE services.
  • If the identity provider suspends the user account for a period of time before deleting the user, the user is deactivated in VMware Identity Services and Workspace ONE services. After that period of time, when the identity provider deletes the user, the user is deleted in VMware Identity Services and Workspace ONE services too.
    Important: For Azure AD, see "How Azure AD Users are Deleted."

After deleting or deactivating a user in the identity provider, if you need to delete or deactivate the user in Workspace ONE immediately, you can do so from the VMware Identity Services directory page.

  1. In the Workspace ONE console, select Accounts > End User Management.
  2. Click View on the provisioned directory card.
  3. Select the Users tab.
  4. Select the user to delete or deactivate and click Delete or Deactivate.
Important: Make sure that you also delete or deactivate the user in your identity provider, so that the user is not reprovisioned to VMware Identity Services.

How Azure AD Users Are Deleted

After you delete a user in Azure AD, the account remains in a suspended state for 30 days. During that 30-day window, the user account can be restored, along with all its properties. Suspended users are deactivated in Workspace ONE services, including Workspace ONE UEM and Workspace ONE Access.

In Azure AD, the user names of the suspended users are modified, and those changes are reflected in Workspace ONE services too.

In Workspace ONE UEM, the Default Action for Inactive Users setting determines how inactive user accounts are handled. You can select one of the following options for inactive users:

  • Restrict Additional Device Enrollment
  • Enterprise Wipe Currently Enrolled Devices

""

When 30 days of the suspended state in Azure AD are over, VMware Identity Services attempts to delete the user.

  • If a device is still associated with the user, Workspace ONE UEM displays the following API error: Device is associated with the user.
  • If the user's devices were enterprise wiped, the user is deleted.