The core ILST documentation is at https://support.igloosoftware.com/discover/configuration/igloo_ldap_sync_tool

There are four settings related to revoking users from your Igloo community, found in the <ApplicationSettings> area of the config file. Each one can have a value of true or false. By default, no one will be revoked from the community.

<RevokeIfNotInSearch>true</RevokeIfNotInSearch>

Turning on this setting means that if the user has been previously synced into Igloo, and is in Igloo and not in the AD, they will be revoked.  As the top level rule, if this setting is false, the other rules will not take effect. 

<RevokeNonDelegateUsers>true</RevokeNonDelegateUsers>

This setting allows the tool to revoke non-delegate users. Users become delegated when they log in through LDAP authentication or Single Sign-On. Turning on this setting means that if the user is not delegated, has been previously synced into Igloo, and is in Igloo and not in the AD, they will be revoked

<RevokeAdmins>false</RevokeAdmins>

With this setting turned off, the ILST will never revoke community administrators, even if the other conditions instruct it to. It's recommended to leave this setting set to false, but it can be activated to have the AD be the final authority on all membership in the community. 

<RevokeUsersNotManagedByLdap>true</RevokeUsersNotManagedByLdap>

Every user added or updated by the ILST is managed by LDAP, and the sync will be able to govern them using the other revoking settings. When this setting  is activated, the ILST will also be able to govern users created manually through invitations or the Bulk Member Upload, as well as users automatically created through Single Sign-On.

This table presents some common user conditions, and which revoking setting will apply to them.