Issue Summary

When removing a user from the UI using the "Remove Users" from the User Details page for a Azure AD synced account, and the user is removed from the synced group and does not have any product access.

However, when we check in the user provisioning directory, we see that the group still shows up on the user account.

Steps to Reproduce

1. Search for the User in Directory (user synced via Azure AD Sync) >> Users 
2. Click Show Details and click Remove User
3. The user is removed the Product Access from the group they are synced via Azure AD Sync, however is still active on Atlassian, and the user remains on the group on Azure (which is expected, as these changes do not reflect on Azure)
4. When we re-sync the user using Sync Now option for Azure AD Sync, we do not see any errors with sync, however the user does not get added to the group again.

Expected Results

The Azure AD synced user when removed access from the UI, the group from which the user is synced from Azure should also be removed from the user provisioning directory, so the user when synced again can be added to the group and given Product Access.

Actual Results

If we remove a synced user by clicking "Remove user" on the User details page (https://admin.atlassian.com/o/ORG-ID/users/AAID), they will be removed from the synced group they are part of. However, the user provisioning directory will still have the group information (it's not touched), causing the IDP (Azure in this case) to skip the user due to a RedundantExport.

Workaround

Support can do a manual re-sync of the group using an internal proprietary API which should then re-sync the user to the group.