We have configured AD connector for provisioning. For a leaver process, the AD account gets disabled & moved to Disabled Users OU. All AD group access get removed instantly.
Below is the requirement:
During leaver process, the AD account shouldn't get disabled immediately. It should remain in the same OU having one specific group access (AdSync group). After 1 hour, it should be disabled & moved to the Disabled Users OU & all group access then gets removed.
ADSyncgroup access is required to sync the user from on-perm to Azure AD. So when it gets removed instantly through leaver events, the inactive users are unable to get synced to Azure which is causing a lot of manual cleanup activity by AD team.
Could anyone please check this & provide possible solution to achieve this.