In this article:

    Overview

    All users on the Entra ID IdP are able to log in to Twingate, even if they were not part of a group that was synced. This will cause users to be "stuck" in twingate without a way to remove them.

    Cause

    In Entra ID, there is option ('Assignment required') to allow any user in that Entra ID tenant to log in to Twingate - if it is set to 'No', any users assigned to Twingate Entra ID will be able to log in to Twingate, even if they are not part of a synced group or even if the syncing (called Provisioning in Entra ID) has not been set up.

    Resolution

    Set the 'Assignment required' option to 'Yes' and run a Provisioning task, selecting the "Sync only assigned users/groups" option under Scope (see screenshot below) to remove the unwanted users.

     

    If you need to remove users from twingate that were added manually by the method above then assign them to the twingate enterprise application and then remove them from the application to trigger the removal.