0 votes

As part of offboarding a user I need to generate a report of all AD groups, Entra groups and all Azure / M365 roles and licenses the user has before they get stripped away.

We arew working towards full onboarding via Adaxes which would be easier to configure if we knew what rights / groups / roles that were held by the leavers performing this job previously.

Ideally this could be reuseable directly into the onboarding element etc, as an import type of thing. Currently its about keeping a record of the leavers configured profile to simplify cloning them onto new starters.

by (20 points)
0

Hello,

For us to suggest a solution, please, provide a screenshot of your current offboarding process. You can post the screenshot here or send to us at support@adaxes.com.

Also, please, specify whether offboarded users are deleted with time.

For your information, there is no functionality in Adaxes to manage Entra ID roles of a user. As such, the only option to obtain/preserve them is using a script. Unfortunately, we do not have anything like that in our repository.

Any additional details will be much appreciated.

0

Our current off boarding revolves around Adaxes scooping user that have not logged onto the domain in xx days into a disabled users OU and stripping them of their group memberships.

When that happens inadvertently its a pain having to work out what they used to have.

1 Answer

0 votes
by (294k points)

Hello,

In this case, you can try preserving the required information in Adaxes custom attributes. For example, groups can go to adm-CustomAttributeObjectMultiValue1. This way, you can check the details and revert membership and other stuff whenever required. You will need complex PowerShell scripts for both parts. Unfortunately, we do not have anything like that in our repository, but our SDK should be helpful: https://adaxes.com/sdk. Also, script Preserving List of Group Memberships from the following article might be a good start: https://www.adaxes.com/script-repository/remove-all-group-memberships-for-a-user-account-s33.htm.

+1

Here's how we store group information for offboarded users from our hybrid environment. When executed on an on-prem user, it creates a JSON representation of all of the on-prem and Entra groups a user is a member of. We then store that JSON in the offboarding ticket. If we ever had to recreate it, it's as simple as calling ConvertFrom-Json on the data and iterating over each DN.

edited to include the Entra dynamic group check from the script support linked - I didn't think about that when I wrote mine. thanks!

$fullname = "%fullname%"

# get the guids of groups the user is a member of
try {
    $groupGuidsBytes = $Context.TargetObject.GetEx("adm-MemberOfGuid")
}
catch {
    $Context.LogMessage("Failed to retrieve group information for $fullname ", "Error")
    $Context.LogException($_.Exception)
    break
}

$entraGroups = @()
$onPremGroups = @()
$allGroups = @{}

foreach ($guidBytes in $groupGuidsBytes) {    
    try {
        $guid = [guid]$guidBytes
        $group = $Context.BindToObject("Adaxes://<GUID=$guid>")           
        $groupDn = $group.Get("distinguishedName")

        if ($groupDn -like "*DC=onmicrosoft,DC=com") {
            try {
                # the $group.Get() method will throw an exception if the property isn't found
                $group.Get("adm-AzureDynamicMembership")
                $Context.LogMessage("Skipping Entra dynamic group $groupDn", "Information")
            }
            catch {
                # if we're here, it means that it's not a dynamic group, so add it to the list
                $entraGroups += $groupDn 
            }
        }
        else {            
            $onPremGroups += $groupDn
        }        
    }
    catch {
        $Context.LogException($_.Exception)
    }                   
}

$allGroups = @{
    entra  = $entraGroups
    onprem = $onPremGroups
}

$groupJson = $allGroups | ConvertTo-Json -Compress

# output looks like this (didn't use the -Compress parameter here for readability). store the value of $groupJson wherever you'd like - we write it to our offboarding ticket

# {
#     "entra":  [
#                   "CN=group1\\0AUID:a76241feaeca41398697c968b805fb7e,OU=Groups,DC=contoso,DC=onmicrosoft,DC=com",
#                   "CN=group2\\0AUID:a76241feaeca41398697c968b805fb7e,OU=Groups,DC=contoso,DC=onmicrosoft,DC=com"
#               ],
#     "onprem":  [
#                    "CN=Domain Users,CN=Users,DC=contoso,DC=com",
#                    "CN=Finance Users,CN=ContosoGroups,DC=contoso,DC=com"
#                ]
# }

Related questions

0 votes
1 answer

I am trying to see if I can implement this in Adaxes somehow to support role-based provisioning to external apps (using appropriate Powershell scripts) but struggling to work ... to invest in a full-blown role-based provisioning platform (would rather not!).

asked Dec 24, 2019 by Bernie (310 points)
0 votes
1 answer

Hello, I'm wondering if it's possible to export a list of all users in AD along with their email addresses to an Excel spreadsheet and then schedule that export to append ... address that wasn't previously used. Please let me know if this is possible. Thanks!

asked Apr 11 by sjjb2024 (60 points)
0 votes
1 answer

Hello All, is is possible via Adaxes deprovisioning to remove all his Azure and M365 roles besides custom Powershell script? Regards Ivaylo

asked Mar 31, 2023 by ivaylo.valkov (100 points)
0 votes
1 answer

I am wanting to export a list of users including the properties of a specific custom attribute. Ideally, I would be able to run a get-admuser and filter on a custom attribute, but even an excel report with the custom attributes would work. Is this possible?

asked Sep 9, 2021 by ggallaway (300 points)
0 votes
1 answer

We need to know specifically for self service password management what level of access in AD do I specifically need.

asked May 9 by justinspring (20 points)
3,588 questions
3,277 answers
8,303 comments
548,085 users