Contact UsTry it for free
© 2025 Direct Cursus Technology L.L.C.

Deactivating a user

Written by
Updated at November 29, 2025

To suspend a user’s access to organization resources, you can deactivate the user. Deactivation will terminate all the user's sessions, and the user will lose access to the organization's resources until reactivated.

Note

You can activate and deactivate only federated and local users. You cannot activate or deactivate Yandex account users.

Deactivating a federated user

To deactivate a federated user account:

  1. Log in to Yandex Identity Hub using an administrator or organization owner account.

  2. In the left-hand panel, select Users and find the federated or local user you need.

    Optionally, use the search bar or filter at the top of the page.

  3. In the row with the user, click and select Deactivate.

  4. In the window that opens, confirm deactivation.

    You can also give a reason for account deactivation.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. See the description of the CLI command for deactivating federated users:

    yc organization-manager federation saml suspend-user-accounts --help

  2. Get a list of federations in the organization:

    yc organization-manager federation saml list \
  --organization-id <organization_ID>

    Where --organization-id is the ID of the organization you need the list of federations for.

  3. Get a list of active federation users:

    yc organization-manager federation saml list-user-accounts <federation_ID> \
  --organization-id <organization_ID> \
  --filter active=true

    Where:

    • <federation_ID>: ID of the federation you need the list of users for.
    • --organization-id: ID of the organization the federation belongs to.
    • --filter active=true: Filter to get only active users.

  4. To deactivate users, provide their IDs in this command:

    yc organization-manager federation saml suspend-user-accounts <federation_ID> \
  --subject-ids <user_1_ID>,<user_2_ID>,...,<user_N_ID> \
  --organization-id <organization_ID> \
  --reason <reason_for_deactivation>

    Where:

    • <federation_ID>: ID of the federation to deactivate users in.
    • --subject-ids: List of user IDs for deactivation.
    • --organization-id: ID of the organization the federation belongs to.
    • --reason: Reason for deactivation. This is an optional parameter.

Use the Federation.Suspend REST API method for the Federation resource or the FederationService/Suspend gRPC API call.

Deactivating a local user

Note

This feature is at the Preview stage.

To deactivate a local user account:

  1. Log in to Yandex Identity Hub using an administrator or organization owner account.

  2. In the left-hand panel, select Users and find the federated or local user you need.

    Optionally, use the search bar or filter at the top of the page.

  3. In the row with the user, click and select Deactivate.

  4. In the window that opens, confirm deactivation.

    You can also give a reason for account deactivation.

If you do not have the Yandex Cloud CLI installed yet, install and initialize it.

By default, the CLI uses the folder specified when creating the profile. To change the default folder, use the yc config set folder-id <folder_ID> command. You can also set a different folder for any specific command using the --folder-name or --folder-id parameter.

  1. View the description of the CLI command to deactivate a pool user:

    yc organization-manager idp user suspend --help

  2. To get a list of pools in an organization, provide its ID in this command:

    yc organization-manager idp userpool list \
  --organization-id <organization_ID>

    Result:

    +----------------------+--------------+-------------+----------------------+---------------------+
|          ID          |     NAME     | DESCRIPTION |   ORGANIZATION ID    |     CREATED AT      |
+----------------------+--------------+-------------+----------------------+---------------------+
| ek0o6g0irskn******** | sample-pool1 |             | bpf2c65rqcl8******** | 2025-05-17 10:01:04 |
| ek03mf01jr4z******** | sample-pool2 |             | bpf2c65rqcl8******** | 2025-06-28 16:30:23 |
+----------------------+--------------+-------------+----------------------+---------------------+

  3. To get the IDs and other information about pool users, provide the pool ID in the following command:

    yc organization-manager idp user list \
  --userpool-id <user_pool_ID>

    Result:

    +----------------------+----------------------------------------+-----------+----------------------+-----------+---------------------+
|          ID          |                USERNAME                | FULL NAME |     USERPOOL ID      | IS ACTIVE |     CREATED AT      |
+----------------------+----------------------------------------+-----------+----------------------+-----------+---------------------+
| aje3i1gq49n3******** | test-user1@test.ru.idp.yandexcloud.net | User 1    | ek0o6g0irskn******** | true      | 2025-10-07 10:41:54 |
| aje0j5mts02t******** | test-user2@test.ru.idp.yandexcloud.net | User 2    | ek0o6g0irskn******** | false     | 2025-07-16 11:18:57 |
+----------------------+----------------------------------------+-----------+----------------------+-----------+---------------------+

  4. To deactivate a user, provide their ID in this command:

    yc organization-manager idp user suspend <user_ID> \
  --reason <reason_for_deactivation>

    Where --reason is the reason for deactivation. This is an optional parameter.

Use the User.Suspend REST API method for the User resource or the UserService/Suspend gRPC API call.

See also

Previous
Activating a user
Next
Deleting a user account