SOLVED

Is there a easy way to exit a user?

%3CLINGO-SUB%20id%3D%22lingo-sub-291800%22%20slang%3D%22en-US%22%3EIs%20there%20a%20easy%20way%20to%20exit%20a%20user%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291800%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20hybrid%20Office%20365%20environment.%20Every%20time%20when%20there%20is%20a%20user%20left%2C%20I%20first%20need%20to%20remove%20the%20user's%20Office%20365%20license%2C%20then%20convert%20it%20to%20shared%20mailbox%20for%20other%20to%20access%2C%20last%20I%20will%20need%20to%20go%20the%20on%20premieres%20active%20directory%2C%20change%20the%20two%20attributes%26nbsp%3BmsExchRemoteRecipientType%20to%20100%20and%26nbsp%3B%26nbsp%3BmsExchRecipientTypeDetails%20to%2034359738368.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20too%20much%20work.%20Sometimes%20I%20need%20to%20do%20more%20than%2020%20users%20at%20one%20time.%20I%20wonder%20how%20other%20people%20do%20and%20is%20there%20a%20easy%20way%20to%20do%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20advise!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-291800%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-293291%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20easy%20way%20to%20exit%20a%20user%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-293291%22%20slang%3D%22en-US%22%3E%3CP%3EHere's%20what%20we%20do%3A%3C%2FP%3E%3CP%3E-%20As%20the%20user%20exits%2C%20the%20AD%20account%20gets%20disabled%3C%2FP%3E%3CP%3E-%20A%20daily%20scheduled%20script%20which%3A%3C%2FP%3E%3CP%3E1.%20Pulls%20user%20accounts%20that%20were%20disabled%20in%20the%20last%2024%20hours%3C%2FP%3E%3CP%3E2.%20Connects%20to%20O365%3C%2FP%3E%3CP%3E3.%20Enables%20'x'%20days%20litigation%20hold%20on%20the%20identified%20mailboxes%3CBR%20%2F%3E4.%20Waits%2060%20mins%20(for%20the%20LitHold%20to%20take%20effect)%3C%2FP%3E%3CP%3E5.%20Prefixes%20the%20Alias%20(from%20on-premise)%20with%20%22CAS_%7D%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20the%20next%20sync%20interval%2C%20these%20accounts%20will%20become%20inactive%20mailboxes%20and%20will%20remain%20in%20the%20O365%20system%20for%20'x'%20days%20per%20the%20litigation%20hold%20interval.%20The%20licenses%20get%20automatically%20freed%20up%20as%20the%20accounts%20become%20inactive.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMay%20not%20be%20the%20best%20approach%20as%20every%20organization%20would%20have%20their%20own%20needs%2C%20this%20approach%20works%20for%20us%20(open%20to%20suggestions%2Fimprovements).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-292062%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20easy%20way%20to%20exit%20a%20user%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-292062%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20need%20to%20keep%20the%20user%20data%2C%20simply%20use%20Inactive%20mailboxes%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fcreate-and-manage-inactive-mailboxes%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Foffice365%2Fsecuritycompliance%2Fcreate-and-manage-inactive-mailboxes%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EShared%20mailboxes%20have%20a%20dependency%20on%20the%20on-premises%20user%20object%2C%20meaning%20you%20cannot%20delete%2Fmove%20it%20out%20of%20the%20sync%20scope.%20Then%20again%2C%20they%20are%20easier%20to%20deal%20with%20compared%20to%20Inactive%20mailboxes%20when%20it%20comes%20to%20accessing%20content.%20Anyway%2C%20it's%20just%20another%20option%20to%20consider%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291840%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20easy%20way%20to%20exit%20a%20user%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291840%22%20slang%3D%22en-US%22%3ESure%20is!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291838%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20easy%20way%20to%20exit%20a%20user%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291838%22%20slang%3D%22en-US%22%3EThat's%20a%20pretty%20nifty%20script%20you%20got%20there!%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291832%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20easy%20way%20to%20exit%20a%20user%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291832%22%20slang%3D%22en-US%22%3EPlease%20check%20out%20the%20following%20script%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Famp.reddit.com%2Fr%2Fsysadmin%2Fcomments%2F73tt33%2Fby_request_terminated_user_script_365%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Famp.reddit.com%2Fr%2Fsysadmin%2Fcomments%2F73tt33%2Fby_request_terminated_user_script_365%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAdam%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291829%22%20slang%3D%22en-US%22%3ERe%3A%20Is%20there%20a%20easy%20way%20to%20exit%20a%20user%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291829%22%20slang%3D%22en-US%22%3EWould%20advise%20powershell%20when%20you%20need%20to%20do%20things%20in%20batches.%20Some%20great%20powershell%20users%20on%20here%20may%20have%20scripts%20they%20can%20provide%20or%20push%20you%20in%20the%20right%20direction%3CBR%20%2F%3E%3CBR%20%2F%3EBest%2C%20Chris%3C%2FLINGO-BODY%3E
Highlighted
Frequent Contributor

Hi,

 

We have hybrid Office 365 environment. Every time when there is a user left, I first need to remove the user's Office 365 license, then convert it to shared mailbox for other to access, last I will need to go the on premieres active directory, change the two attributes msExchRemoteRecipientType to 100 and  msExchRecipientTypeDetails to 34359738368. 

 

This is too much work. Sometimes I need to do more than 20 users at one time. I wonder how other people do and is there a easy way to do it?

 

Please advise!

 

Thanks in advance!  

 

6 Replies
Highlighted
Would advise powershell when you need to do things in batches. Some great powershell users on here may have scripts they can provide or push you in the right direction

Best, Chris
Highlighted
Highlighted
That's a pretty nifty script you got there!
Highlighted
Sure is!
Highlighted

If you need to keep the user data, simply use Inactive mailboxes: https://docs.microsoft.com/en-us/office365/securitycompliance/create-and-manage-inactive-mailboxes

 

Shared mailboxes have a dependency on the on-premises user object, meaning you cannot delete/move it out of the sync scope. Then again, they are easier to deal with compared to Inactive mailboxes when it comes to accessing content. Anyway, it's just another option to consider :)

Highlighted
Best Response confirmed by Grace Yin (Frequent Contributor)
Solution

Here's what we do:

- As the user exits, the AD account gets disabled

- A daily scheduled script which:

1. Pulls user accounts that were disabled in the last 24 hours

2. Connects to O365

3. Enables 'x' days litigation hold on the identified mailboxes
4. Waits 60 mins (for the LitHold to take effect)

5. Prefixes the Alias (from on-premise) with "CAS_}"

 

In the next sync interval, these accounts will become inactive mailboxes and will remain in the O365 system for 'x' days per the litigation hold interval. The licenses get automatically freed up as the accounts become inactive.

 

May not be the best approach as every organization would have their own needs, this approach works for us (open to suggestions/improvements).