Review comments

ansible_base/authentication/authenticator_plugins/base.py

@@ -146,7 +146,12 @@ def move_authenticator_user_to(self, new_user, old_authenticator_user):
             "authenticator_users",
             "groups",
             "has_roles",
+            # We're ignoring role assignments for two reasons: 1. this isn't safe to copy right now, as it
+            # could break the caching layer, 2. roles are intented to come from the authenticator via an
+            # authenticator map, so when a user is move to a new authenticator, they're old roles should
+            # be removed.
             "role_assignments",
+            "logentry",
         )
 
         old_user = old_authenticator_user.user

ansible_base/authentication/utils/authentication.py

@@ -60,6 +60,8 @@ def migrate_from_existing_authenticator(
         old_user = from_authenticator.move_authenticator_user_to(main_user, migrate_user)
         if old_user and not old_user.authenticator_users.exists():
             old_user.delete()
+        else:
+            logger.warning(f"{old_user.username} is still managed by other authenticators and cannot be deleted.")
 
     # Now that we've potentially cleaned up any old user accounts, lets see if we can
     # give the user their preferred_username as their username