This article provides an overview of how actions taken in the identity provider are reflected in DeepL, as well as the rules for provisioning for existing resources when SCIM user provisioning is enabled for your team. For more information on SCIM user provisioning, see this article.
Operations in identity provider
IT admin adds a user to the DeepL enterprise application.
API call
- SCIM POST /Users/
- SCIM POST /Groups/
Reflection in DeepL
- User is provisioned
- Group is provisioned (if it doesn’t exist)
IT admin unassigns the user from one of the groups assigned to the DeepL application, but the user is still a member of another group that grants access to DeepL.
API call
- SCIM PATCH /Groups/{i} updating the “members” attribute
Reflection in DeepL
- Account is removed from the specified group
- User loses access to that subscription or product
IT admin unassigns the user from a group that has access to DeepL and this user doesn’t have access to the DeepL SSO application at all.
API call
- SCIM PATCH /Groups/{i} updating the “members” attribute.
- SCIM PATCH request to /Users/{id} endpoint, updating the user’s “active” attribute to “False”.
Reflection in DeepL
- Account is disabled and there is no license assigned to that user
- User is displayed as License unassigned
- User remains in the DeepL default group to ensure that the user is still part of the organization
IT admin deletes a user account from Entra ID when an employee leaves the company.
API call
- SCIM PATCH request to /Users/{id} updating the “active” attribute to “False” and the “userName” attribute to Guid+email
Reflection in DeepL
- User account is completely deleted
IT admin disables the user’s account in Entra ID.
API call
- SCIM PATCH request to /Users/{id} endpoint, updating the user’s “active” attribute.
Reflection in DeepL
- Account is disabled (the user will not have a license)
- User will be displayed as License unassigned
- User remains in the DeepL default group to ensure that the user is still part of the organization
IT admin deletes one of the groups assigned to the DeepL application.
API call
- SCIM PATCH requests for every member to remove group membership
- DELETE request to remove the group
Reflection in DeepL
- Group is deleted and disappears from the DeepL admin account
- User’s group memberships are updated
IT admin unassigns one of the groups assigned to the DeepL application, but the users are still members of another group that has access to DeepL.
API call
- SCIM patch request for every member to remove the group membership
- SCIM DELETE request to delete that group
Reflection in DeepL
- Group is deleted and disappears from the DeepL admin account
- User’s group memberships are updated
IT admin unassigns one of the groups from the DeepL application and users don't have access to the SSO application.
API call
- SCIM PATCH /Groups/{i} updating the “members” attribute
- SCIM DELETE request to delete that group
- SCIM PATCH request to /Users/{id} endpoint, updating the user’s “active” attribute to “False”
Reflection in DeepL
- Group is deleted and disappears from the DeepL admin account
- Account is disabled and there is no license assigned to that user
- User is removed from the groups in the DeepL admin account
- User remains in the DeepL default group to ensure that the user is still part of the organization
Provisioning rules for existing resources
If a provisioned user already exists in Entra ID.
The user is updated and is managed via SCIM from now on.
If a user in DeepL already exists but hasn't been granted access to the DeepL application in the identity provider when provisioning begins.
The existing user will not be deleted automatically. It must be deleted manually.
If a group in DeepL already exists but hasn't been granted access to the DeepL application in the identity provider when provisioning begins.
The existing group will not be deleted automatically. It must be deleted manually.