I am using Keycloak with Entra ID / Azure AD as an identity provider. I've linked Entra ID via OpenID Connect. The setup automatically syncs accounts on their first login, which is functioning well. However, I’m facing a challenge with cleaning up users who no longer exist in Entra ID / Azure AD. Currently, from what I can see, there is no automated mechanism within Keycloak to cleanup non-existing users.
I’m looking for a way that allows for periodic synchronization between Keycloak and Azure AD, where Keycloak would check if the users, previously synced from Entra ID, still exist there. The goal is to ensure my Keycloak instance remains up-to-date and free of stale accounts.
What would be the best approach to achieve this? Has anyone implemented a similar solution, possibly through a custom Keycloak SPI or another method? Or should this be done differently?
So after some research we've created our own microservice that basically runs a daily job that checks if all users still exist in Entra ID. This allowed us to stay away from external dependencies in the form of plugins.