Forum Discussion
Hybrid Deployment - Automate User Deletion - Remove-MSOLUser
The users are being removed from the sync scope, i.e. moved to a disabled users OU. The use case is a terminated employee and granting a manager access to the terminated employee's resources for XX days. Once the XX days are up return the object to a soft deleted state to eventually be deleted permanently.
We fully understand this is not supported.
Just clear the immutableId attribute which removes the link to on-prem user.
After you've moved the user out of sync scope, run the following commands to remove the immutableId and recover the user:
Get-MsolUser -UserPrincipalName user@company.com -ReturnDeletedUsers | Set-MsolUser -ImmutableId ""
Get-MsolUser -UserPrincipalName user@company.com -ReturnDeletedUsers | Restore-MsolUser
There are no workflow to automatically delete the user after xx days. However, if 30 days is enough, you can simply give managers access to user's mailbox and OneDrive. This way they can be accessed even the user is in a soft deleted state.
Nestori Syynimaa Thank you. I'm familiar with the process to restore and set the various permissions needed. The problem we are trying to solve for is if a manager request to have access for more than 30 days. Is there an value we can modify and a workflow mark the user for deletion? We are trying to avoid using another custom attribute.
Could we possibly use the "SoftDeletedTimeStamp"? Update this to the date we would like the account to be removed. If there is no built in workflow, I can accept that as a take away.
Sorry Kohen Dubeau, you can't set the SoftDeletedTimeStamp manually. So, you either have to keep the license for a longer period, or use retention policies for the data. You can also check my blog post about using inactive mail boxes.