As part of offboarding users I need to keep a note of all AD/Entra groups, Azure / M365 roles and licenses

Question

As part of offboarding a user I need to generate a report of all AD groups, Entra groups and all Azure / M365 roles and licenses the user has before they get stripped away.

We arew working towards full onboarding via Adaxes which would be easier to configure if we knew what rights / groups / roles that were held by the leavers performing this job previously.

Ideally this could be reuseable directly into the onboarding element etc, as an import type of thing. Currently its about keeping a record of the leavers configured profile to simplify cloning them onto new starters.

Comments

Hello,

For us to suggest a solution, please, provide a screenshot of your current offboarding process. You can post the screenshot here or send to us at support@adaxes.com.

Also, please, specify whether offboarded users are deleted with time.

For your information, there is no functionality in Adaxes to manage Entra ID roles of a user. As such, the only option to obtain/preserve them is using a script. Unfortunately, we do not have anything like that in our repository.

Any additional details will be much appreciated.

---

Our current off boarding revolves around Adaxes scooping user that have not logged onto the domain in xx days into a disabled users OU and stripping them of their group memberships.

When that happens inadvertently its a pain having to work out what they used to have.

Answer 1

Hello,

In this case, you can try preserving the required information in Adaxes custom attributes. For example, groups can go to adm-CustomAttributeObjectMultiValue1. This way, you can check the details and revert membership and other stuff whenever required. You will need complex PowerShell scripts for both parts. Unfortunately, we do not have anything like that in our repository, but our SDK should be helpful: https://adaxes.com/sdk. Also, script Preserving List of Group Memberships from the following article might be a good start: https://www.adaxes.com/script-repository/remove-all-group-memberships-for-a-user-account-s33.htm.

Comments

Here's how we store group information for offboarded users from our hybrid environment. When executed on an on-prem user, it creates a JSON representation of all of the on-prem and Entra groups a user is a member of. We then store that JSON in the offboarding ticket. If we ever had to recreate it, it's as simple as calling ConvertFrom-Json on the data and iterating over each DN.

edited to include the Entra dynamic group check from the script support linked - I didn't think about that when I wrote mine. thanks!

$fullname = "%fullname%"

# get the guids of groups the user is a member of
try {
    $groupGuidsBytes = $Context.TargetObject.GetEx("adm-MemberOfGuid")
}
catch {
    $Context.LogMessage("Failed to retrieve group information for $fullname ", "Error")
    $Context.LogException($_.Exception)
    break
}

$entraGroups = @()
$onPremGroups = @()
$allGroups = @{}

foreach ($guidBytes in $groupGuidsBytes) {    
    try {
        $guid = [guid]$guidBytes
        $group = $Context.BindToObject("Adaxes://<GUID=$guid>")           
        $groupDn = $group.Get("distinguishedName")

        if ($groupDn -like "*DC=onmicrosoft,DC=com") {
            try {
                # the $group.Get() method will throw an exception if the property isn't found
                $group.Get("adm-AzureDynamicMembership")
                $Context.LogMessage("Skipping Entra dynamic group $groupDn", "Information")
            }
            catch {
                # if we're here, it means that it's not a dynamic group, so add it to the list
                $entraGroups += $groupDn 
            }
        }
        else {            
            $onPremGroups += $groupDn
        }        
    }
    catch {
        $Context.LogException($_.Exception)
    }                   
}

$allGroups = @{
    entra  = $entraGroups
    onprem = $onPremGroups
}

$groupJson = $allGroups | ConvertTo-Json -Compress

# output looks like this (didn't use the -Compress parameter here for readability). store the value of $groupJson wherever you'd like - we write it to our offboarding ticket

# {
#     "entra":  [
#                   "CN=group1\\0AUID:a76241feaeca41398697c968b805fb7e,OU=Groups,DC=contoso,DC=onmicrosoft,DC=com",
#                   "CN=group2\\0AUID:a76241feaeca41398697c968b805fb7e,OU=Groups,DC=contoso,DC=onmicrosoft,DC=com"
#               ],
#     "onprem":  [
#                    "CN=Domain Users,CN=Users,DC=contoso,DC=com",
#                    "CN=Finance Users,CN=ContosoGroups,DC=contoso,DC=com"
#                ]
# }