I'm adding any role prior to removing the prior role. I haven't wanted to put in a delay with a sleep method. The action to remove the role is after adding the new role.

Role 1 grants a lot of resources such as AD and O365. Working as designed.
Role 2 only grants the AD account resource / entitlement.

When deprovisioning a user in a given scenario, we still want them to have access to AD, but remove the other entitlements. We first add Role 2 and then we remove Role 1. However the entitlement is lost for the AD account and the account is deleted prematurely.

Other than having a sleep option, what is the best way to have one resource / entitlement to AD with multiple roles having the resource and then moving from one role to another without the resource being revoked?

----
Further testing... I switched to actions. I'm now removing the role and then adding the new role. This seems to work. Is this my solution or is there something I should be aware of with the timing of moving users from one role to another? Always remove existing role first and then add the new role?

Thanks,
Fred