Current Adobe Admin Console (AAC) Entra ID provisioning consistently recreates Federated Accounts due to its reliance on user objects' enablement statuses for provisioning identities. Our current offboarding process requires that we disable user account in our source IDP to prevent unauthorized access when an employee leaves or is terminated. This deactivates the user in AAC and if we need to rename (due to shared mailbox access delegation requirements) or setup a new account for the same user in another dept - the provisioning workflow creates a duplicate account in AAC. This causes frustration for our admins and provides access to the previous account's Adobe Sign data when licensed for Adobe Sign.
Recommendation is to ignore user's activity status (enabled/disabled) when scoping a user for provisioning through the Entra ID application. At least let the organization choose whether they'd like to keep disabled users in scope or not. This would allow post-offboarding configuration changes to the exisiting account and allow those changes to replicate into downstream services (ex. Adobe Sign). This would simplify our deployment of these services and would reduce the negative effects on our offboarding process.