ConductorOne · Bencheng21 · Jun 20, 2025 · Jun 18, 2025 · Jun 19, 2025 · MarcusGoldschmidt
diff --git a/pkg/connector/server_user.go b/pkg/connector/server_user.go
@@ -19,6 +19,8 @@ import (
 	"go.uber.org/zap"
 )
 
+var _ connectorbuilder.ResourceDeleter = (*userPrincipalSyncer)(nil)
+
 // userPrincipalSyncer implements both ResourceSyncer and AccountManager.
 type userPrincipalSyncer struct {
 	resourceType *v2.ResourceType
@@ -217,6 +219,19 @@ func (d *userPrincipalSyncer) CreateAccountCapabilityDetails(
 	}, nil, nil
 }
 
+func (d *userPrincipalSyncer) Delete(ctx context.Context, resourceId *v2.ResourceId) (annotations.Annotations, error) {
+	user, err := d.client.GetUserPrincipal(ctx, resourceId.GetResource())
+	if err != nil {
+		return nil, err
+	}
+
+	err = d.client.DisableUserFromServer(ctx, user.Name)
+	if err != nil {
+		return nil, err
+	}
+	return nil, nil
+}
+
 // generateStrongPassword creates a secure random password for SQL Server.
 // The password meets SQL Server complexity requirements:
 // - At least 8 characters in length

diff --git a/pkg/mssqldb/server.go b/pkg/mssqldb/server.go
@@ -2,6 +2,7 @@ package mssqldb
 
 import (
 	"context"
+	"fmt"
 	"strings"
 
 	"github.com/grpc-ecosystem/go-grpc-middleware/logging/zap/ctxzap"
@@ -33,3 +34,18 @@ func (c *Client) GetServer(ctx context.Context) (*ServerModel, error) {
 
 	return &ret, nil
 }
+
+func (c *Client) DisableUserFromServer(ctx context.Context, userName string) error {
+	if strings.ContainsAny(userName, "[]\"';") {
+		return fmt.Errorf("invalid characters in userName")
+	}
+
+	query := fmt.Sprintf(`
+ALTER LOGIN [%s] DISABLE;`, userName)
+
+	_, err := c.db.ExecContext(ctx, query)
+	if err != nil {
+		return err
+	}
+	return nil
+}