User deprovisioning

Question

Hi, we want to automate our user termination process. There are some requirements that have been outlined. Could you please let us know if how can we achieve the following outcome.

When User is Terminated:
o Account is to be remained in a Disabled State for 4 weeks
 Managers or (specified delegate(s)) will be provided access to disabled user Mailbox & One Drive Accounts.
 These same managers and delegates need to be emailed notifying them that they have 4 weeks to access mailboxes and One Drive and copy anything they want into their own mailbox or one drives.
 Another email reminder to be sent to the delegate / manager when they have 1 week left to access.
 Final email reminder to be sent to the delegate / manager when they have 1 day left to access.
o On the 4th week of account being disabled:
 AD Account is deleted

Comments

Hello,

When User is Terminated:

What exactly do you mean by "terminated"? Should the workflow start just when a user gets disabled or there are other conditions? Maybe the user also gets moved to a specific OU?

Managers or (specified delegate(s)) will be provided access to disabled user Mailbox & One Drive Accounts.

How can the managers and delegates be obtained for a user? Are they stored in a specific property of each user account or you need to specify them when starting the termination process?

---

Hi, yes we want the workflow to start when the user gets disabled and "managers or delegates" will be obtained from the Manager's filed in the account properties.

Thanks
Shuja

---

Hello Shuja,

yes we want the workflow to start when the user gets disabled

Thank you for clarifying.

"managers or delegates" will be obtained from the Manager's filed in the account properties.

The Manager property is single-value. Do you need to have a possibility to add more recipients when the termination process starts?

---

Hi, Thank you for your reply. If there is a possibility for multiple recipients that will be great as it will give us more flexibility.

Thank you,
Shuja

Answer 1

Hello Shuja,

Thank you for the provided details. The solution will include an Action, a Business Rule triggering After Updating a User and a Scheduled Task. The action will be used to disable a user, specify additional recipients and set the date when the user will be deleted. For the recipients you will need to use the See Also property. The date for user deletion will be stored in an Adaxes custom date attribute (e.g. CustomAttributeDate1). The action form will contain only the See Also property, disabling and setting the deletion date will be done automatically. The Business Rule will trigger after the action is executed and notify the recipients that the account is disabled and they were granted full access to their mailbox and OneDrive. The Scheduled Task will notify the recipients 1 week, then 1 day before deleting the user and finally delete the user on the date specified in CustomAttributeDate1.

i. Creating the Action

1. Open Adaxes Web Interface Configurator.
2. In the top left corner, select the Web Interface you need.
   
3. In the Actions section, click Add.
   
4. Select Modify User and click Next three times.
   
5. Select Use customized form and click Customize form.
   
6. Remove all the sections except for one (e.g. General).
7. Remove all the properties from the Fields section and click Add below.
   
8. Select See Also and click OK.
9. Select only Users and click OK.
   
10. Click Add below the Predefined Fields section.
    
11. In the Property field, select Account Options.
12. In the Value field, select Account is disabled and click OK.
    
13. Click Add below the Predefined Fields section again.
14. In the Property field, select CustomAttributeDate1.
15. In the Value field, click the … button.
    
16. Activate the Template tab and enter %datetime,+28d% into the Template field.
    
17. Click OK twice.
18. Click Finish.

For information on how to specify custom display names for properties, see https://www.adaxes.com/help/?HowDoI.Man ... Names.html.

ii. Creating the Business Rule

1. Launch Adaxes Administration Console.

2. In the Console Tree, right-click your service node.

3. In the context menu, navigate to New and click Business Rule.
   

4. On step 2 of the Create Business Rule wizard, select User Object type.

5. Select After Updating a User and click Next.
   

6. Click Add an action.

7. Select Run a program or PowerShell script.

8. Paste the below script into the Script field.
   In the script:

   • $attributeName - Specifies the LDAP name of the property used to store additional recipients (e.g. seeAlso);
   • $message - Specifies the message text;
   • $subject - Specifies the message subject;
   • $adminWebApplicationURL - Specifies the SharePoint URL.

    $attributeName = "seeAlso" # TODO: modify me
    $message = "My Message" # TODO: modify me
    $subject = "My Subject" # TODO: modify me
   
    $adminWebApplicationURL = "https://Company-admin.sharepoint.com" # TODO: modify me
   
    $userDNs = @()
    try
    {
        $managerDN = $Context.TargetObject.Get("manager")
        $userDNs += $managerDN
    }
    catch
    {
        $Context.LogMessage("The user %fullname% has no manager.", "Warning")
    }
   
    try
    {
        $values = $Context.TargetObject.GetEx($attributeName)
        $values | %%{$userDNs += $_}
    }
    catch
    {
        $Context.LogMessage("Aditional delegates are not specified.", "Warning")
    }
   
    if ($userDNs.Length -eq 0)
    {
        return
    }
   
    $adminClientContext = New-Object Microsoft.SharePoint.Client.ClientContext($adminWebApplicationURL)
    $office365Cred = $Context.GetOffice365Credential()
    $credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($office365Cred.Username, (ConvertTo-SecureString $office365Cred.GetNetworkCredential().Password -AsPlainText -Force))
    $adminClientContext.Credentials = $credentials
   
    # Get user
    $adminWeb = $adminClientContext.Web
    $user = $adminWeb.EnsureUser("%userPrincipalName%")
    $adminClientContext.Load($user)
    try
    {
        $adminClientContext.ExecuteQuery()
    }
    catch
    {
        Write-Error "An error occurred when searching for the user in SharePoint. Error: $($_.Exception.Message)"
        return
    }
   
    # Get user profile
    $peopleManager = New-Object Microsoft.SharePoint.Client.UserProfiles.PeopleManager($adminClientContext)
    $userProfile = $peopleManager.GetPropertiesFor($user.LoginName)
    $adminClientContext.Load($userProfile)
    $adminClientContext.ExecuteQuery()
   
    Connect-SPOService -Url $adminWebApplicationURL -Credential $office365Cred
   
    # Add permissions
    foreach ($dn in $userDNs)
    {
        $user = $Context.BindToObjectByDN($dn)
        $userName = $user.Get("userPrincipalName")
        $address = $user.Get("mail")
   
        try
        {
            Set-SPOUser -Site $userProfile.PersonalUrl -LoginName $userName -IsSiteCollectionAdmin $True -ErrorAction Stop
            $Context.SendMail($address, $subject, $message, $NULL)
        }
        catch
        {
            $Context.LogMessage("An error occured when adding permission for $userName. Error: " + $_.Excpetion.Message, "Warning")
        }
    }

9. Enter a short description and click OK.
   

10. Right-click the action you created and click Add Condition in the context menu.
    

11. Select If <property> changed.

12. Select If See Also has changed and click OK.
    

13. Repeat steps 10 and 12 for CustomAttributeDate1 and Account Options.

14. Right-click the action you created and click Add Condition in the context menu again.

15. Select If <property><relation><value>.

16. Select If CustomAttributeDate1 is not empty and click OK.
    

17. Right-click the action you created and click Add Condition in the context menu again.

18. Select If account enabled / disabled / locked.

19. Select disabled and click OK.
    

20. Click Next and finish creating the Business Rule. You should have something like the following:
    

iii. Creating the Scheduled Task

1. Launch Adaxes Administration Console.

2. In the Console Tree, right-click your service node.

3. In the context menu, navigate to New and click Scheduled Task.
   

4. On step 3 of the Create Scheduled Task wizard, select User Object type and click Next.
   

5. Click Add an action.

6. Select Run a program or PowerShell script.

7. Paste the below script into the Script field.
   In the script:

   • $attributeName - Specifies the LDAP name of the property used to store additional recipients (e.g. seeAlso);
   • $message - Specifies the message text;
   • $subject - Specifies the message subject.

    $attributeName = "seeAlso" # TODO: modify me
    $message = "My Message" # TODO: modify me
    $subject = "My Subject" # TODO: modify me
   
    $userDNs = @()
    try
    {
        $managerDN = $Context.TargetObject.Get("manager")
        $userDNs += $managerDN
    }
    catch
    {
        $Context.LogMessage("Manager not specified.", "Warning")
    }
   
    try
    {
        $values = $Context.TargetObject.GetEx($attributeName)
        $values | %%{$userDNs += $_}
    }
    catch
    {
        $Context.LogMessage("Attribute $attributeName is empty.", "Warning")
    }
   
    if ($userDNs.Length -eq 0)
    {
        return
    }
   
    foreach ($dn in $userDNs)
    {
        $user = $Context.BindToObjectByDN($dn)
        $address = $user.Get("mail")
   
        $Context.SendMail($address, $subject, $message, $NULL)
    }

8. Enter a short description and click OK.

9. Double-click Always.

10. Select If <property><relation><value>.

11. Select If CustomAttributeDate1 less or equal and click Edit.
    

12. Select plus 8 days and click OK twice.
    

13. Right-click the condition you created and click Add New Condition in the context menu.

14. Select If <property><relation><value>.

15. Select If CustomAttributeDate1 greater or equal and click Edit.

16. Select plus 6 days and click OK twice.

17. Right-click the set of action and conditions you created and click Copy in the context menu.
    

18. Press Ctrl+V.

19. In the Else if block, double-click the If CustomAttributeDate1 less or equal condition.
    

20. Click Edit in the value field.

21. Select plus 1 day and click OK twice.

22. In the Else if block, double-click the If CustomAttributeDate1 greater or equal condition.

23. Click Edit in the value field.

24. Clear the plus checkbox and click OK twice.
    

25. Right-click the Else if block you created and click Copy in the context menu.
    

26. Press Ctrl+V.

27. In the new Else if block, double-click the If CustomAttributeDate1 less or equal condition.

28. Click Edit in the value field.

29. Clear the plus checkbox and click OK twice.

30. In the new Else if block, double-click the If CustomAttributeDate1 greater or equal condition.

31. Click Edit in the value field.

32. Select minus 1 day and click OK twice.

33. Double-click the Run script action in the new Else if block.

34. Select Delete the user and click OK.
    

35. Click Next and finish creating the Scheduled Task. You should have something like the following:
    

Comments

Hi Support,

Thank you for the clarifications. It is all working like a charm.

If I could ask you for one last favour on this one. Can we add a PS script just before the "Delete the User" action in the schedule task that can set the Auto mapping of the terminated user's mailbox to false for the "Manager" and the "SeeAlso" as that sometimes keeps showing up in outlook even when the user has been deleted.

Kind Regards,
Shuja

---

Hello Shuja,

The thing is that to disable auto mapping, you need to first revoke the full access permissions and then grant them again with auto mapping disabled. Also, there is no guarantee that this approach will solve the issue your users are facing. We recommend to revoke the full access permissions from the manager and additional delegates (specified in the See Also property) before deleting the user. If this solution meets your needs, we will provide you with the script.

---

Hi Support,

I think the suggestion below would meet our requirements. Could you please send us the script for revoking access for manager and delegates.

Kind Regards,
Shuja

---

Hello Shuja,

You need to use the below script:

$attributeName = "seeAlso" # TODO: modify me

function GetPropertyValue($property, $userDNs)
{
    try
    {
        $values = $Context.TargetObject.GetEx($property)
    }
    catch
    {
        return
    }

    foreach ($value in $values)
    {
        [void]$userDNs.Add($value)
    }
}

$userDNs = New-Object System.Collections.ArrayList
GetPropertyValue "manager" $userDNs
GetPropertyValue $attributeName $userDNs

if ($userDNs.Count -eq 0)
{
    return
}

# Revoke permissions
$mailboxParams = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxParameters"
foreach ($dn in $userDNs)
{
    # Mailbox permissions
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectDN = $dn

    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objReference

    $permissionModification = 
        New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
    $permissionModification.Operation = "ADS_PROPERTY_DELETE"
    $permissionModification.Permission = $permission

    $mailboxRights = $mailboxParams.MailboxRights

    $mailboxRights.AddModification($permissionModification)
    $mailboxParams.MailboxRights = $mailboxRights
}

# Update user mailbox
$Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")

Just add it to the Scheduled Task before the Delete User action.

---

Thank you very much. I will test and let you know if there are any issues.