All Products
Search

This Product

    Identity as a Service:IDaaS fails to synchronously delete a RAM account

    Document Center

    Identity as a Service:IDaaS fails to synchronously delete a RAM account

    Last Updated:Mar 31, 2026

    After you delete a user in IDaaS with account synchronization enabled, the corresponding Resource Access Management (RAM) user may not be deleted. This happens because IDaaS cannot automatically remove RAM users that are in a protected state or outside the configured synchronization scope.

    Why synchronization fails

    Identify which condition applies to your situation, then follow the corresponding resolution.

    The RAM user is in a protected state

    RAM prevents automatic deletion of users that are bound to a multi-factor authentication (MFA) device, configured with an AccessKey, or belonging to a user group. You must remove these associations before deleting the user.

    The synchronization scope is misconfigured

    Synchronous deletion only triggers when the deleted IDaaS user belongs to the organization specified in the synchronization scope. If the organizations do not match, IDaaS does not send the deletion request to RAM. Verify that the organization of the deleted user matches the synchronization scope configuration.

    Parameter settings are incorrect

    Misconfigured synchronization parameters can cause the deletion request to fail. Review your synchronization parameter settings for errors.

    Delete the RAM user manually

    When IDaaS cannot automatically delete a RAM user, remove the protected state first, then delete the user.

    Important

    Before proceeding, confirm that the RAM user is not associated with any critical resources or permission configurations. After deletion, the user and any roles assumed by the user are forcibly logged out. This action cannot be automatically reversed. The account performing these steps requires the AliyunRAMFullAccess permission.

    Step 1: Remove the protected state

    Complete each sub-task that applies to the target RAM user.

    Remove the user from user groups

    1. Log on to the Alibaba Cloud RAM console.

    2. In the navigation pane, choose Identities > Users.

    3. Click the username of the target RAM user.

    4. In the user group section, remove the user from all user groups.

    Unbind the MFA device

    If an MFA device is bound to the user:

    1. On the details page of the target RAM user, go to the Identities > Users > Authentication tab.

    2. In the Security Management section, unbind the MFA device. For detailed steps, see Unbind an MFA device for a RAM user.

    Delete the AccessKey

    If the user has an AccessKey:

    1. On the details page of the target RAM user, go to the AccessKey Management section.

    2. Delete all AccessKeys.

    Step 2: Delete the RAM user

    1. In the RAM console, choose Identities > Users in the navigation pane.

    2. Find the target RAM user and click Delete in the Actions column.

    3. Follow the prompts to confirm the deletion.