Check the
documentation
Ask the
Community
Take a look
at
Academy
Cognite
Status
Page
Contact
Cognite Support
Background - CDF Users can be deleted or disabled on the Entra ID accidentally or on purpose. Understanding how and what happens with the resources created by users can be vital for Admins and other users within the organisation. This article details some scenarios and questions users can have about what happens to the CDF resources when a user is deleted or marked as disabled in Entra ID.
Entra ID - Microsoft Entra ID (formerly Azure Active Directory) is a cloud-based identity and access management (IAM) service that provides secure sign-in and access control for users to various Microsoft and third-party applications in both cloud and on-premises environments.
- Scenario 01: Private Resources (Private Charts, Private Canvases, Private Atlas AI Agents)
- Scenario 02: Public Resources (Public Charts, Public Canvases, Public Atlas AI Agents)
The user's identity and access to CDF resources are governed by Entra ID. In this context, any content owned or created by the user who is being deleted or disabled in Entra ID will have their access completely revoked from CDF.
- Disabled in Entra ID: The user can no longer sign in to CDF. However, their content still exists unless explicitly removed.
- Deleted in Entra ID: Similar outcome, but now their identity is permanently removed from Entra ID.
Simply, the user can no longer authenticate to CDF. All access tokens and sessions are invalidated, and the user is effectively locked out of CDF. However, the CDF resources will remain in place.
In both the above cases, CDF does not automatically delete user-created content. Moreover, the access becomes restricted:
- If the user was the only one with access to certain resources, and they're disabled/deleted, then:
- Those resources become effectively inaccessible to others.
- They're not deleted, but they are private and invisible to other users unless permissions are adjusted.
- In technical terms, the resources remain in the system but may not be discoverable or accessible without proper ACLs (Access Control Lists).
With regard to Scenario 01; Private resources will remain in CDF until they are explicitly deleted by a user who has the relevant capabilities to delete them, ideally a CDF Admin. On the other hand, they will remain private and still exist within CDF, but may not be accessible to anyone if not shared.
In relation to Scenario 02, as soon as the user account is re-enabled in Entra ID, and they sign in again via Entra ID SSO, they can access CDF if:
- They still belong to an authorized Entra ID group or app role that CDF uses for access control.
- Their account is not blocked by CDF-specific security measures (e.g., revocation, manual ACL removal).
- Any content they previously created or owned in CDF remains intact and accessible to them (assuming ACLs weren't changed during their absence).
An important point to note is that in CDF, users are typically identified via their Entra ID Object ID (OID). So, as long as the user account wasn’t deleted and recreated (which would change the OID), everything remains seamless. With this said, if the user was completely deleted in the Entra ID and later recreated with the same username, but it’s actually a different OID, then CDF will treat this as a new user. This means their old content and permissions will not automatically be linked to the new identity.
Things to Keep in Mind:
- If an individual user had set up integrations (e.g., data ingestion pipelines) using their identity or API keys, those might stop working depending on how the authentication was implemented when the user is deleted from the Entra ID.
- SDKs or third-party tools using user credentials will fail silently if those credentials belong to a disabled user.
- When a user is deleted/disabled, any Private resources become obsolete and inaccessible, thus making no sense to the data and only adding to the CDF load.
Best Practice for Admins:
- Use group-based access control rather than assigning permissions to individual users.
- Ensure service accounts and automations use Entra-registered app registrations or service principals for authentication, not personal user identities.
- Periodically audit users and role bindings in CDF to avoid orphaned access roles.
Additional Resources
Access Management Concepts - https://docs.cognite.com/cdf/access/concepts/
