Issue with Okta Sending Deactivated Users in Group PUT Call to SCIM Server

We are encountering an issue with Okta’s SCIM integration related to group synchronization. Here’s the scenario:

  1. When a user is deactivated in Okta, it correctly sends a SCIM PUT request to our SCIM server with “active”: false.
  2. Our SCIM implementation handles this by removing the user’s group memberships and deactivating their access.
  3. However, in subsequent PUT requests for group updates, Okta continues to include this deactivated (and effectively deleted) user in the group membership list.
  4. Since the user ID no longer exists in our system (as it was removed on deactivation), our SCIM service returns a 400 Bad Request, causing the group sync to fail.

Question:

Is this the expected behavior from Okta—to continue sending deactivated users in group membership during group PUT calls? If so, how should SCIM services handle such cases where the user referenced in the group no longer exists in the system? Is there a recommended approach to prevent group sync failures in this scenario?

Thanks

Hello, can I get any update on this please?

Can you check to see if you are using the same group for user assignment as you do for Group Push? If so, you will want to modify this per the documentation here: Troubleshooting Group Push | Okta Identity Engine