I have a user federation via LDAP configured. Users are only synchronized into my Keycloak realm when they have a certain group in Active Directory. There is a daily full sync and hourly partial sync for new/updated users.
If that group is revoked in AD, the user will no longer be synced. Additionally I found, it will even be deleted from the Keycloak realm.
Is that behavior something I can influence? Can I make the user “disabled” instead of deleting him?