02-24-2017 12:37 PM
02-24-2017 12:48 PM
I have network admins that handle deactivations. I don't care to give them that kind of access, and I don't want to have to look these up for them. I was hoping I could code something for them.
It's unfortunate that this info isn't provided on one screen and isn't searchable.
Since I have your attention, Angus, I'm trying to test and prove that now that we are using Office 365 identity management, once we disable the AD account, former employees can no longer access Yammer. My assumption is that all sessions would terminate at that point. However, so far in our testing, it appears they can still access the network via the mobile app. Any thoughts or suggestions on this?
03-06-2017 08:41 AM
03-06-2017 09:48 AM
With the parameters you described, Diane, I would recommend something like what Victor is laying out. You could craft a PowerShell script to run the export API, dump the results to a result set or flat file, and then do your logic based on that result set. After it runs you can have something emailed to the folks who have to process it, update a SharePoint list, whatever.
I've seen what you're talking about, how when an account is disabled its token can still be active for a little while. I've found that blocking those accounts kills the active token. Also, through the UI you can force a session to end, though I'm sure you don't want to do that manually. I'm guessing that there are undocumented APIs you can use to force all the sessions to end, which you can add to your script.
03-06-2017 10:35 AM
03-06-2017 10:56 AM
03-06-2017 11:32 AM
03-06-2017 12:31 PM
In your testing, see if there's a timeout. It SHOULD invalidate the authentication token after a little while, especially if you're using O365 Identity Enforced.