diff --git a/ee/lib/ee/gitlab/scim/group/deprovisioning_service.rb b/ee/lib/ee/gitlab/scim/group/deprovisioning_service.rb
index 19be91664cde8b511b96034eb4960f52904ea855..c1700ae3e6fd31ec90d125e38efad9aa1a8f1a0f 100644
--- a/ee/lib/ee/gitlab/scim/group/deprovisioning_service.rb
+++ b/ee/lib/ee/gitlab/scim/group/deprovisioning_service.rb
@@ -37,7 +37,11 @@ def execute
           def remove_group_access
             return unless group_membership
 
-            ::Members::DestroyService.new(user).execute(group_membership, skip_saml_identity: true)
+            ::Members::DestroyService.new.execute(
+              group_membership,
+              skip_saml_identity: true,
+              skip_authorization: true
+            )
           end
 
           def group_membership
diff --git a/ee/spec/lib/ee/gitlab/scim/group/deprovisioning_service_spec.rb b/ee/spec/lib/ee/gitlab/scim/group/deprovisioning_service_spec.rb
index 47140e03681d7138e5eae1f364168b1dd4e6a22e..319c08681eefed2333653cd073bd289efc2afdc5 100644
--- a/ee/spec/lib/ee/gitlab/scim/group/deprovisioning_service_spec.rb
+++ b/ee/spec/lib/ee/gitlab/scim/group/deprovisioning_service_spec.rb
@@ -15,6 +15,51 @@
         create(:group_member, group: group, user: user, access_level: GroupMember::REPORTER)
       end
 
+      context 'when auditing' do
+        let(:request_ip_address) { '192.168.188.69' }
+        let(:sign_in_ip) { '175.29.19.1' }
+
+        before do
+          allow(::Gitlab::RequestContext.instance).to receive(:client_ip).and_return(request_ip_address)
+          user.update! current_sign_in_ip: sign_in_ip
+        end
+
+        around do |example|
+          RequestStore.begin!
+          example.run
+          RequestStore.end!
+          RequestStore.clear!
+        end
+
+        def destroy_audits
+          AuditEvent.where %q("details" LIKE '%:event_name: member_destroyed%')
+        end
+
+        context 'without admin_audit_log enabled' do
+          before do
+            stub_licensed_features(admin_audit_log: false)
+          end
+
+          it 'audits the access removal without an IP address' do
+            expect { service.execute }.to change { destroy_audits.count }.by(1)
+
+            expect(destroy_audits.last.ip_address).to be_nil
+          end
+        end
+
+        context 'with admin_audit_log enabled' do
+          before do
+            stub_licensed_features(admin_audit_log: true)
+          end
+
+          it "audits the access removal with the request's IP address" do
+            expect { service.execute }.to change { destroy_audits.count }.by(1)
+
+            expect(destroy_audits.last.ip_address).to eq(request_ip_address)
+          end
+        end
+      end
+
       it 'deactivates scim identity' do
         expect { service.execute }.to change { identity.active }.from(true).to(false)
       end