Traditionally - As a process we run collectors to receive active user accounts, accesses & last login date from applications at a set frequency.
Business has a concern - An account is created / re-instated after one collector run, misused & disabled before the next collector run.
To address this, we are asking the application team to send all user accounts (active & deleted) with access details & last login date, there will be alerts generated by the system for any change in permissions / last login date even for deleted accounts.
We are trying to address this by creating & using a customized flag to mark accounts as Inactive / Deleted.
The issue with this approach -
Since the collector is receiving the accounts, the deleted accounts are treated as active & appearing as part of off-boarding requests & user access reviews.
We are looking for a means to mark these accounts as deleted.
Not fully understand what you are trying to achieve, but see if this helps in any way - [Ad Account collector] How do i calculate the is_disabled attribute?