Aug 16 2018
- last edited on
Jul 27 2020
We are currently working on a workflow that will restore an MSOL user and assign permissions to OneDrive and Exchange Online. This piece is worked out, converting to cloud only object.
The snag we've run into is trying to have the user automatically placed back into a soft deleted state after X amount of days. Is there a workflow based on the "SoftDeletionTimestamp" attribute?
We are currently setting a custom attribute and running a scheduled task to remove-MSOLUser if that attribute is greater than X Days.
Aug 16 2018 11:47 PM
You are not providing us all the details here, most importantly why and how are you deleting the user in the first place? In general, you can make an object a "disconnector" by removing it on-premises (or from the AAD Connect scope), then recovering it from O365. But that object is still stamped with the ImmutableId, so it can be "reconnected" at a later stage. And in general, this process is not really supported by Microsoft.
Aug 20 2018 01:28 PM
The users are being removed from the sync scope, i.e. moved to a disabled users OU. The use case is a terminated employee and granting a manager access to the terminated employee's resources for XX days. Once the XX days are up return the object to a soft deleted state to eventually be deleted permanently.
We fully understand this is not supported.
Aug 20 2018 09:05 PM
Just clear the immutableId attribute which removes the link to on-prem user.
After you've moved the user out of sync scope, run the following commands to remove the immutableId and recover the user:
Get-MsolUser -UserPrincipalName email@example.com -ReturnDeletedUsers | Set-MsolUser -ImmutableId ""
Get-MsolUser -UserPrincipalName firstname.lastname@example.org -ReturnDeletedUsers | Restore-MsolUser
There are no workflow to automatically delete the user after xx days. However, if 30 days is enough, you can simply give managers access to user's mailbox and OneDrive. This way they can be accessed even the user is in a soft deleted state.
Aug 21 2018 04:36 AM
@Nestori Syynimaa Thank you. I'm familiar with the process to restore and set the various permissions needed. The problem we are trying to solve for is if a manager request to have access for more than 30 days. Is there an value we can modify and a workflow mark the user for deletion? We are trying to avoid using another custom attribute.
Could we possibly use the "SoftDeletedTimeStamp"? Update this to the date we would like the account to be removed. If there is no built in workflow, I can accept that as a take away.
Aug 21 2018 05:04 AM