Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Hybrid Deployment - Automate User Deletion - Remove-MSOLUser

Copper Contributor

We are currently working on a workflow that will restore an MSOL user and assign permissions to OneDrive and Exchange Online.  This piece is worked out, converting to cloud only object.

 

The snag we've run into is trying to have the user automatically placed back into a soft deleted state after X amount of days.  Is there a workflow based on the "SoftDeletionTimestamp" attribute?

 

We are currently setting a custom attribute and running a scheduled task to remove-MSOLUser if that attribute is greater than X Days.

 

 

5 Replies

You are not providing us all the details here, most importantly why and how are you deleting the user in the first place? In general, you can make an object a "disconnector" by removing it on-premises (or from the AAD Connect scope), then recovering it from O365. But that object is still stamped with the ImmutableId, so it can be "reconnected" at a later stage. And in general, this process is not really supported by Microsoft.

@Vasil Michev

The users are being removed from the sync scope, i.e. moved to a disabled users OU.  The use case is a terminated employee and granting a manager access to the terminated employee's resources for XX days. Once the XX days are up return the object to a soft deleted state to eventually be deleted permanently.

 

 

We fully understand this is not supported. 

Just clear the immutableId attribute which removes the link to on-prem user.

After you've moved the user out of sync scope, run the following commands to remove the immutableId and recover the user:

Get-MsolUser -UserPrincipalName user@company.com -ReturnDeletedUsers | Set-MsolUser -ImmutableId ""
Get-MsolUser -UserPrincipalName user@company.com -ReturnDeletedUsers | Restore-MsolUser

There are no workflow to automatically delete the user after xx days. However, if 30 days is enough, you can simply give managers access to user's mailbox and OneDrive. This way they can be accessed even the user is in a soft deleted state.

@Nestori Syynimaa  Thank you. I'm familiar with the process to restore and set the various permissions needed.  The problem we are trying to solve for is if a manager request to have access for more than 30 days.  Is there an value we can modify and a workflow mark the user for deletion?  We are trying to avoid using another custom attribute. 

Could we possibly use the "SoftDeletedTimeStamp"?  Update this to the date we would like the account to be removed.  If there is no built in workflow, I can accept that as a take away.

Sorry @Kohen Dubeau, you can't set the SoftDeletedTimeStamp manually. So, you either have to keep the license for a longer period, or use retention policies for the data. You can also check my blog post about using inactive mail boxes.