Removed users

%3CLINGO-SUB%20id%3D%22lingo-sub-48625%22%20slang%3D%22en-US%22%3ERemoved%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-48625%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20anyone%20know%20how%20to%20get%20a%20searchable%20list%20of%20recently%20deactivated%20users%20or%20view%20them%20all%20on%20one%20page%3F%20It's%20really%20a%20pain%20to%20verify%20if%20a%20user%20has%20been%20deactivated%20using%20the%20Yammer%20UI.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-48625%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EYammer%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-51981%22%20slang%3D%22en-US%22%3ERe%3A%20Removed%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-51981%22%20slang%3D%22en-US%22%3EWe're%20going%20to%20check%20that%20out%20tomorrow.%20I'm%20hoping%20it's%2030%20minutes%20or%20less.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-50636%22%20slang%3D%22en-US%22%3ERe%3A%20Removed%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-50636%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20your%20testing%2C%20see%20if%20there's%20a%20timeout.%20%26nbsp%3BIt%20SHOULD%20invalidate%20the%20authentication%20token%20after%20a%20little%20while%2C%20especially%20if%20you're%20using%20O365%20Identity%20Enforced.%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-50612%22%20slang%3D%22en-US%22%3ERe%3A%20Removed%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-50612%22%20slang%3D%22en-US%22%3EI'm%20looking%20at%20the%20article%20now.%20Thanks%20for%20sharing.%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20our%20testing%20thus%20far%2C%20the%20user%20is%20able%20to%20continue%20accessing%20Yammer%20after%20AD%20is%20disabled%20so%20long%20as%20they%20don't%20close%20their%20browser%20or%20mobile%20app.%20We're%20still%20testing%20on%20this%2C%20however.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-50596%22%20slang%3D%22en-US%22%3ERe%3A%20Removed%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-50596%22%20slang%3D%22en-US%22%3EFor%20clarification%2C%20the%20users%20who%20are%20being%20deactivated%20in%20AD%20are%20showing%20up%20as%20suspended%20in%20Yammer%2C%20but%20still%20have%20access%3F%20Or%20is%20their%20deactivation%20in%20AD%20not%20triggering%20anything.%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20trying%20to%20gain%20insight.%20Have%20you%20read%20this%20article%3F%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Faskyammer%2F2016%2F11%2F01%2Fwhen-does-a-user-getting-logged-out-of-yammer%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fblogs.technet.microsoft.com%2Faskyammer%2F2016%2F11%2F01%2Fwhen-does-a-user-getting-logged-out-of-yammer%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-50591%22%20slang%3D%22en-US%22%3ERe%3A%20Removed%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-50591%22%20slang%3D%22en-US%22%3EYes%2C%20we%20can%20do%20this%20through%20the%20UI%2C%20but%20I'm%20trying%20to%20eliminate%20that%20extra%20step.%20We%20are%20in%20a%20%22reinvention%22%20at%20the%20moment%20with%20hundreds%20of%20people%20being%20laid%20off.%20I'm%20trying%20to%20automate%20and%20simplify%20as%20much%20as%20possible.%3CBR%20%2F%3E%3CBR%20%2F%3EIt%20seems%20like%20it%20*should*%20be%20pretty%20straightforward%20that%20when%20the%20user's%20AD%20account%20is%20disabled%20their%20Yammer%20account%20is%20disabled%20and%20all%20their%20sessions%20are%20terminated.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-50574%22%20slang%3D%22en-US%22%3ERe%3A%20Removed%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-50574%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20the%20parameters%20you%20described%2C%20Diane%2C%20I%20would%20recommend%20something%20like%20what%20Victor%20is%20laying%20out.%20%26nbsp%3BYou%20could%20craft%20a%20PowerShell%20script%20to%20run%20the%20export%20API%2C%20dump%20the%20results%20to%20a%20result%20set%20or%20flat%20file%2C%20and%20then%20do%20your%20logic%20based%20on%20that%20result%20set.%20%26nbsp%3BAfter%20it%20runs%20you%20can%20have%20something%20emailed%20to%20the%20folks%20who%20have%20to%20process%20it%2C%20update%20a%20SharePoint%20list%2C%20whatever.%20%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20seen%20what%20you're%20talking%20about%2C%20how%20when%20an%20account%20is%20disabled%20its%20token%20can%20still%20be%20active%20for%20a%20little%20while.%20%26nbsp%3BI've%20found%20that%20blocking%20those%20accounts%20kills%20the%20active%20token.%20%26nbsp%3BAlso%2C%20through%20the%20UI%20you%20can%20force%20a%20session%20to%20end%2C%20though%20I'm%20sure%20you%20don't%20want%20to%20do%20that%20manually.%20%26nbsp%3BI'm%20guessing%20that%20there%20are%20undocumented%20APIs%20you%20can%20use%20to%20force%20all%20the%20sessions%20to%20end%2C%20which%20you%20can%20add%20to%20your%20script.%20%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-50546%22%20slang%3D%22en-US%22%3ERe%3A%20Removed%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-50546%22%20slang%3D%22en-US%22%3EYou%20can't%20trigger%20an%20export%20yourself%20via%20powershell%2FAPI%20and%20also%20send%20the%20email%20with%20the%20attached%20file%20via%20the%20shell%20as%20well%3F%20Is%20there%20any%20concern%20about%20sending%20the%20users%20file%3F%3CBR%20%2F%3E%3CBR%20%2F%3EIn%20excel%2C%20or%20specifically%20PowerQuery%20in%20excel%2C%20you%20can%20set%20the%20deactivated%20date%20or%20suspended%20date%20to%20be%20within%20X%20amount%20of%20days...%20or%20just%20simply%20sort%20by%20date%20at%20that%20point.%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20could%20also%20just%20run%20the%20export%20api%20and%20export%20it%20to%20a%20shared%20drive%20and%20have%20it%20refresh%20daily.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-48634%22%20slang%3D%22en-US%22%3ERe%3A%20Removed%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-48634%22%20slang%3D%22en-US%22%3EOnly%20verified%20admins%20can%20get%20the%20export%20though%2C%20right%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-48633%22%20slang%3D%22en-US%22%3ERe%3A%20Removed%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-48633%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20network%20admins%20that%20handle%20deactivations.%20I%20don't%20care%20to%20give%20them%20that%20kind%20of%20access%2C%20and%20I%20don't%20want%20to%20have%20to%20look%20these%20up%20for%20them.%20I%20was%20hoping%20I%20could%20code%20something%20for%20them.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt's%20unfortunate%20that%20this%20info%20isn't%20provided%20on%20one%20screen%20and%20isn't%20searchable.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20I%20have%20your%20attention%2C%20Angus%2C%20I'm%20trying%20to%20test%20and%20prove%20that%20now%20that%20we%20are%20using%20Office%20365%20identity%20management%2C%20once%20we%20disable%20the%20AD%20account%2C%20former%20employees%20can%20no%20longer%20access%20Yammer.%20My%20assumption%20is%20that%20all%20sessions%20would%20terminate%20at%20that%20point.%20However%2C%20so%20far%20in%20our%20testing%2C%20it%20appears%20they%20can%20still%20access%20the%20network%20via%20the%20mobile%20app.%20Any%20thoughts%20or%20suggestions%20on%20this%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-48629%22%20slang%3D%22en-US%22%3ERe%3A%20Removed%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-48629%22%20slang%3D%22en-US%22%3EIf%20you're%20network%20admin%20the%20data%20export%20can%20show%20you%20that%20information.%3C%2FLINGO-BODY%3E
Contributor

Does anyone know how to get a searchable list of recently deactivated users or view them all on one page? It's really a pain to verify if a user has been deactivated using the Yammer UI.

10 Replies
If you're network admin the data export can show you that information.

I have network admins that handle deactivations. I don't care to give them that kind of access, and I don't want to have to look these up for them. I was hoping I could code something for them. 

 

It's unfortunate that this info isn't provided on one screen and isn't searchable. 

 

Since I have your attention, Angus, I'm trying to test and prove that now that we are using Office 365 identity management, once we disable the AD account, former employees can no longer access Yammer. My assumption is that all sessions would terminate at that point. However, so far in our testing, it appears they can still access the network via the mobile app. Any thoughts or suggestions on this? 

Only verified admins can get the export though, right?
You can't trigger an export yourself via powershell/API and also send the email with the attached file via the shell as well? Is there any concern about sending the users file?

In excel, or specifically PowerQuery in excel, you can set the deactivated date or suspended date to be within X amount of days... or just simply sort by date at that point.

You could also just run the export api and export it to a shared drive and have it refresh daily.

With the parameters you described, Diane, I would recommend something like what Victor is laying out.  You could craft a PowerShell script to run the export API, dump the results to a result set or flat file, and then do your logic based on that result set.  After it runs you can have something emailed to the folks who have to process it, update a SharePoint list, whatever.  

 

I've seen what you're talking about, how when an account is disabled its token can still be active for a little while.  I've found that blocking those accounts kills the active token.  Also, through the UI you can force a session to end, though I'm sure you don't want to do that manually.  I'm guessing that there are undocumented APIs you can use to force all the sessions to end, which you can add to your script.  

Yes, we can do this through the UI, but I'm trying to eliminate that extra step. We are in a "reinvention" at the moment with hundreds of people being laid off. I'm trying to automate and simplify as much as possible.

It seems like it *should* be pretty straightforward that when the user's AD account is disabled their Yammer account is disabled and all their sessions are terminated.
For clarification, the users who are being deactivated in AD are showing up as suspended in Yammer, but still have access? Or is their deactivation in AD not triggering anything.

I'm trying to gain insight. Have you read this article? https://blogs.technet.microsoft.com/askyammer/2016/11/01/when-does-a-user-getting-logged-out-of-yamm...
I'm looking at the article now. Thanks for sharing.

In our testing thus far, the user is able to continue accessing Yammer after AD is disabled so long as they don't close their browser or mobile app. We're still testing on this, however.

In your testing, see if there's a timeout.  It SHOULD invalidate the authentication token after a little while, especially if you're using O365 Identity Enforced.  

We're going to check that out tomorrow. I'm hoping it's 30 minutes or less.