As an IT admin, there are certain tasks and process that happen almost daily. We’re using customer feedback to identify those common tasks and make them easier and faster to perform with repeatable r...
Updated May 06, 2021
Version 2.0
Blog Post
A huge hole in this workflow is that for any organizations that use AAD Connect, your changes will be disregarded at the next sync. We've had to jump through several hoops to gracefully de-provision a user.
Our workflow is as follows:
- Deactivate user on-prem to block access to Office365 (portal will be overridden if set there. this is another point of frustration)
- Manual adjustment of security and distribution lists as appropriate
- When appropriate, delete user on-prem, which deletes the user on the portal
- Run a FULL sync via AAD Connect. If you don't the next steps wont work
- In O365 portal, restore the account. This will make it a "cloud" account.
- Wait approximately 1-2 hours for account to restore (this happens even if it's only deleted for a moment)
- Proceed with the new user deletion workflow.
I do love this workflow as it is a HUGE improvement for OneDrive ownership and allows retention of the mailbox for audit and business continuity without chewing up a license. However writing the changes back to the on-prem AD accounts is a critical, and missing, piece. Most Microsoft shops are in some state of hybrid configuration between on-prem and cloud, and the fact that these tools do not take that into account is incredibly frustrating.