To facilitate GDPR or PDPA (Personal Data Protection Act in Singapore), Ideal scenario:

For Sandbox or non-production environments,

1. PII fields* should be anonymized, if they cannot be cleared, despite whether user records are manual or auto-sync-ed from AAD (which is a is a product design).
2. This should be automatic with a configurable setting.
3. With the above achieved, users/developers/customizers/admnistrators should still be able to login to Sandbox environments with their usual AAD accounts for UAT/customization/development/etc work. E.g. a Tester login to the system to test and create email activities.

For production environments,

1. PII fields* of disabled/inactive users should be anonymized, if they cannot be cleared, despite whether user records are manual or auto-sync-ed from AAD (which is a is a product design).
2. This should be automatic with a configurable settings.

* E.g. these fields: username, email addresses, phones