User deprovisioning

Question

Hi, we want to automate our user termination process. There are some requirements that have been outlined. Could you please let us know if how can we achieve the following outcome.

When User is Terminated:
o Account is to be remained in a Disabled State for 4 weeks
 Managers or (specified delegate(s)) will be provided access to disabled user Mailbox & One Drive Accounts.
 These same managers and delegates need to be emailed notifying them that they have 4 weeks to access mailboxes and One Drive and copy anything they want into their own mailbox or one drives.
 Another email reminder to be sent to the delegate / manager when they have 1 week left to access.
 Final email reminder to be sent to the delegate / manager when they have 1 day left to access.
o On the 4th week of account being disabled:
 AD Account is deleted

Comments

Hello,

When User is Terminated:

What exactly do you mean by "terminated"? Should the workflow start just when a user gets disabled or there are other conditions? Maybe the user also gets moved to a specific OU?

Managers or (specified delegate(s)) will be provided access to disabled user Mailbox & One Drive Accounts.

How can the managers and delegates be obtained for a user? Are they stored in a specific property of each user account or you need to specify them when starting the termination process?

---

Hi, yes we want the workflow to start when the user gets disabled and "managers or delegates" will be obtained from the Manager's filed in the account properties.

Thanks
Shuja

---

Hello Shuja,

yes we want the workflow to start when the user gets disabled

Thank you for clarifying.

"managers or delegates" will be obtained from the Manager's filed in the account properties.

The Manager property is single-value. Do you need to have a possibility to add more recipients when the termination process starts?

---

Hi, Thank you for your reply. If there is a possibility for multiple recipients that will be great as it will give us more flexibility.

Thank you,
Shuja

Answer 1

Hello Shuja,

Thank you for the provided details. The solution will include an Action, a Business Rule triggering After Updating a User and a Scheduled Task. The action will be used to disable a user, specify additional recipients and set the date when the user will be deleted. For the recipients you will need to use the See Also property. The date for user deletion will be stored in an Adaxes custom date attribute (e.g. CustomAttributeDate1). The action form will contain only the See Also property, disabling and setting the deletion date will be done automatically. The Business Rule will trigger after the action is executed and notify the recipients that the account is disabled and they were granted full access to their mailbox and OneDrive. The Scheduled Task will notify the recipients 1 week, then 1 day before deleting the user and finally delete the user on the date specified in CustomAttributeDate1.

i. Creating the Action

1. Open Adaxes Web Interface Configurator.
2. In the top left corner, select the Web Interface you need.
   
3. In the Actions section, click Add.
   
4. Select Modify User and click Next three times.
   
5. Select Use customized form and click Customize form.
   
6. Remove all the sections except for one (e.g. General).
7. Remove all the properties from the Fields section and click Add below.
   
8. Select See Also and click OK.
9. Select only Users and click OK.
   
10. Click Add below the Predefined Fields section.
    
11. In the Property field, select Account Options.
12. In the Value field, select Account is disabled and click OK.
    
13. Click Add below the Predefined Fields section again.
14. In the Property field, select CustomAttributeDate1.
15. In the Value field, click the … button.
    
16. Activate the Template tab and enter %datetime,+28d% into the Template field.
    
17. Click OK twice.
18. Click Finish.

For information on how to specify custom display names for properties, see https://www.adaxes.com/help/?HowDoI.Man ... Names.html.

ii. Creating the Business Rule

1. Launch Adaxes Administration Console.

2. In the Console Tree, right-click your service node.

3. In the context menu, navigate to New and click Business Rule.
   

4. On step 2 of the Create Business Rule wizard, select User Object type.

5. Select After Updating a User and click Next.
   

6. Click Add an action.

7. Select Run a program or PowerShell script.

8. Paste the below script into the Script field.
   In the script:

   • $attributeName - Specifies the LDAP name of the property used to store additional recipients (e.g. seeAlso);
   • $message - Specifies the message text;
   • $subject - Specifies the message subject;
   • $adminWebApplicationURL - Specifies the SharePoint URL.

    $attributeName = "seeAlso" # TODO: modify me
    $message = "My Message" # TODO: modify me
    $subject = "My Subject" # TODO: modify me
   
    $adminWebApplicationURL = "https://Company-admin.sharepoint.com" # TODO: modify me
   
    $userDNs = @()
    try
    {
        $managerDN = $Context.TargetObject.Get("manager")
        $userDNs += $managerDN
    }
    catch
    {
        $Context.LogMessage("The user %fullname% has no manager.", "Warning")
    }
   
    try
    {
        $values = $Context.TargetObject.GetEx($attributeName)
        $values | %%{$userDNs += $_}
    }
    catch
    {
        $Context.LogMessage("Aditional delegates are not specified.", "Warning")
    }
   
    if ($userDNs.Length -eq 0)
    {
        return
    }
   
    $adminClientContext = New-Object Microsoft.SharePoint.Client.ClientContext($adminWebApplicationURL)
    $office365Cred = $Context.GetOffice365Credential()
    $credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($office365Cred.Username, (ConvertTo-SecureString $office365Cred.GetNetworkCredential().Password -AsPlainText -Force))
    $adminClientContext.Credentials = $credentials
   
    # Get user
    $adminWeb = $adminClientContext.Web
    $user = $adminWeb.EnsureUser("%userPrincipalName%")
    $adminClientContext.Load($user)
    try
    {
        $adminClientContext.ExecuteQuery()
    }
    catch
    {
        Write-Error "An error occurred when searching for the user in SharePoint. Error: $($_.Exception.Message)"
        return
    }
   
    # Get user profile
    $peopleManager = New-Object Microsoft.SharePoint.Client.UserProfiles.PeopleManager($adminClientContext)
    $userProfile = $peopleManager.GetPropertiesFor($user.LoginName)
    $adminClientContext.Load($userProfile)
    $adminClientContext.ExecuteQuery()
   
    Connect-SPOService -Url $adminWebApplicationURL -Credential $office365Cred
   
    # Add permissions
    foreach ($dn in $userDNs)
    {
        $user = $Context.BindToObjectByDN($dn)
        $userName = $user.Get("userPrincipalName")
        $address = $user.Get("mail")
   
        try
        {
            Set-SPOUser -Site $userProfile.PersonalUrl -LoginName $userName -IsSiteCollectionAdmin $True -ErrorAction Stop
            $Context.SendMail($address, $subject, $message, $NULL)
        }
        catch
        {
            $Context.LogMessage("An error occured when adding permission for $userName. Error: " + $_.Excpetion.Message, "Warning")
        }
    }

9. Enter a short description and click OK.
   

10. Right-click the action you created and click Add Condition in the context menu.
    

11. Select If <property> changed.

12. Select If See Also has changed and click OK.
    

13. Repeat steps 10 and 12 for CustomAttributeDate1 and Account Options.

14. Right-click the action you created and click Add Condition in the context menu again.

15. Select If <property><relation><value>.

16. Select If CustomAttributeDate1 is not empty and click OK.
    

17. Right-click the action you created and click Add Condition in the context menu again.

18. Select If account enabled / disabled / locked.

19. Select disabled and click OK.
    

20. Click Next and finish creating the Business Rule. You should have something like the following:
    

iii. Creating the Scheduled Task

1. Launch Adaxes Administration Console.

2. In the Console Tree, right-click your service node.

3. In the context menu, navigate to New and click Scheduled Task.
   

4. On step 3 of the Create Scheduled Task wizard, select User Object type and click Next.
   

5. Click Add an action.

6. Select Run a program or PowerShell script.

7. Paste the below script into the Script field.
   In the script:

   • $attributeName - Specifies the LDAP name of the property used to store additional recipients (e.g. seeAlso);
   • $message - Specifies the message text;
   • $subject - Specifies the message subject.

    $attributeName = "seeAlso" # TODO: modify me
    $message = "My Message" # TODO: modify me
    $subject = "My Subject" # TODO: modify me
   
    $userDNs = @()
    try
    {
        $managerDN = $Context.TargetObject.Get("manager")
        $userDNs += $managerDN
    }
    catch
    {
        $Context.LogMessage("Manager not specified.", "Warning")
    }
   
    try
    {
        $values = $Context.TargetObject.GetEx($attributeName)
        $values | %%{$userDNs += $_}
    }
    catch
    {
        $Context.LogMessage("Attribute $attributeName is empty.", "Warning")
    }
   
    if ($userDNs.Length -eq 0)
    {
        return
    }
   
    foreach ($dn in $userDNs)
    {
        $user = $Context.BindToObjectByDN($dn)
        $address = $user.Get("mail")
   
        $Context.SendMail($address, $subject, $message, $NULL)
    }

8. Enter a short description and click OK.

9. Double-click Always.

10. Select If <property><relation><value>.

11. Select If CustomAttributeDate1 less or equal and click Edit.
    

12. Select plus 8 days and click OK twice.
    

13. Right-click the condition you created and click Add New Condition in the context menu.

14. Select If <property><relation><value>.

15. Select If CustomAttributeDate1 greater or equal and click Edit.

16. Select plus 6 days and click OK twice.

17. Right-click the set of action and conditions you created and click Copy in the context menu.
    

18. Press Ctrl+V.

19. In the Else if block, double-click the If CustomAttributeDate1 less or equal condition.
    

20. Click Edit in the value field.

21. Select plus 1 day and click OK twice.

22. In the Else if block, double-click the If CustomAttributeDate1 greater or equal condition.

23. Click Edit in the value field.

24. Clear the plus checkbox and click OK twice.
    

25. Right-click the Else if block you created and click Copy in the context menu.
    

26. Press Ctrl+V.

27. In the new Else if block, double-click the If CustomAttributeDate1 less or equal condition.

28. Click Edit in the value field.

29. Clear the plus checkbox and click OK twice.

30. In the new Else if block, double-click the If CustomAttributeDate1 greater or equal condition.

31. Click Edit in the value field.

32. Select minus 1 day and click OK twice.

33. Double-click the Run script action in the new Else if block.

34. Select Delete the user and click OK.
    

35. Click Next and finish creating the Scheduled Task. You should have something like the following:
    

Comments

Hello, thank you very much for this post. I have created the business rule and the schedule task mentioned below.

I just need to understand how this will be executed. Will this be run at the time when a user is disabled. And also what will we need to enter int the "seeAlso" attribute.

Kind Regards,
Shuja Rahman

---

Hello Shuja,

When you execute the Action, you will need to specify additional delegates in the See Also property. Those users will be receiving the notifications along with the manager of the user. The Action will also disable the user, set the date for user deletion and trigger the Business Rule which will send notifications informing the manager and other delegates. The Scheduled Task in its turn will send notifications 7 days and 1 day before deleting the user. On the date specified in the custom date attribute, the Scheduled Task will delete the user.

---

Hi, I tried to disable the user via Adaxes and am getting the following error:

"Cannot find type [Microsoft.SharePoint.Client.ClientContext]: verify that the assembly containing this type is loaded. Stack trace: at <ScriptBlock>, <No file>: line 38"

There was also not email notification send to the Manager or the "See Also" users. Could you please point out if I am doing something wrong.

---

Hello Shuja,

You need to install SharePoint Online Management Shell on the computer where Adaxes Service is installed.

---

Hi Support,

Thank you for your prompt reply. I installed the SharePoint online Management Shell but am getting a similar error on a different line now.

Cannot find type [Microsoft.SharePoint.Client.UserProfiles.PeopleManager]: verify that the assembly containing this type is loaded. Stack trace: at <ScriptBlock>, <No file>: line 58

---

Hello Shuja,

Sorry for the confusion. You also need to install SharePoint Online Client Components SDK on the computer where Adaxes service is installed. After installation, restart Softerra Adaxes Service.

---

Hi Support,

Thanks heaps. The script seems to be running now and the email comes out as well but it is a blank email.

There was no notification for access to the mailbox or one-drive. I checked in exchange for the users in the delegates and that was also empty. Is there something that needs changing on my end.

Kind Regards,
Shuja

---

Hello Shuja,

The script seems to be running now and the email comes out as well but it is a blank email.

Did you specify the required text in the $message variable?

There was no notification for access to the mailbox or one-drive.

What exactly do you mean?

I checked in exchange for the users in the delegates and that was also empty.

How exactly did you trigger the Business Rule? Did you create an Action in the Web Interface following our instructions and then used it to specify delegates and disable a user?
Did you check the permissions for the user's manager?

---

Hi Support,

Sorry for being vague. I will try to explain as well as I can.

The message part is showing up in the email fine. I was expecting a link to the users one drive in that email as well.

As for the last part:
I have setup the Action and the Business Rule as directed by your post.

The once drive delegates are working fine:

But the mailbox delegates does not have any delegates:

Let me know if you require any further information and I am really great-full for all the support provided from Adaxes.

Kind Regards,
Shuja

---

Hello Shuja,

Find the updated scripts below.

Script for Business Rule

In the script:

• $urlAttributeName - Specifies the LDAP name of the property that will store the URL to user's OneDrive (e.g. adm-CustomAttributeText1);
• $messageTemplate - Specifies the notification template. In the template, {0} will be replaced with the URL to user's OneDrive.

$attributeName = "seeAlso" # TODO: modify me
$urlAttributeName = "adm-CustomAttributeText1" # TODO: modify me
$messageTemplate = "URL: {0}" # TODO: modify me
$subject = "My Subject" # TODO: modify me

[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client")
[System.Reflection.Assembly]::LoadWithPartialName("Microsoft.SharePoint.Client.UserProfiles")

$adminWebApplicationURL = "https://Company-admin.sharepoint.com" # TODO: modify me

$userDNs = @()
try
{
    $managerDN = $Context.TargetObject.Get("manager")
    $userDNs += $managerDN
}
catch
{
    $Context.LogMessage("The user %fullname% has no manager.", "Warning")
}

try
{
    $values = $Context.TargetObject.GetEx($attributeName)
    $values | %%{$userDNs += $_}
}
catch
{
    $Context.LogMessage("Additional delegates are not specified.", "Warning")
}

if ($userDNs.Length -eq 0)
{
    return
}

$adminClientContext = New-Object Microsoft.SharePoint.Client.ClientContext($adminWebApplicationURL)
$office365Cred = $Context.GetOffice365Credential()
$credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($office365Cred.Username, (ConvertTo-SecureString $office365Cred.GetNetworkCredential().Password -AsPlainText -Force))
$adminClientContext.Credentials = $credentials

# Get user
$adminWeb = $adminClientContext.Web
$user = $adminWeb.EnsureUser("%userPrincipalName%")
$adminClientContext.Load($user)
try
{
    $adminClientContext.ExecuteQuery()
}
catch
{
    Write-Error "An error occurred when searching for the user in SharePoint. Error: $($_.Exception.Message)"
    return
}

# Get user profile
$peopleManager = New-Object Microsoft.SharePoint.Client.UserProfiles.PeopleManager($adminClientContext)
$userProfile = $peopleManager.GetPropertiesFor($user.LoginName)
$adminClientContext.Load($userProfile)
$adminClientContext.ExecuteQuery()

# Add personal URL to mail message
$message = [System.String]::Format($messageTemplate, $userProfile.PersonalUrl)

# Save URL
$Context.TargetObject.Put($urlAttributeName, $userProfile.PersonalUrl)
$Context.TargetObject.SetInfoEx(@($urlAttributeName))

Connect-SPOService -Url $adminWebApplicationURL -Credential $office365Cred

# Add permissions
$mailboxParams = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxParameters"
foreach ($dn in $userDNs)
{
    $user = $Context.BindToObjectByDN($dn)
    $userName = $user.Get("userPrincipalName")
    try
    {
        $address = $user.Get("mail")
    }
    catch
    {
        $address = $NULL
    }

    # Mailbox permissions
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectDN = $dn

    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objReference

    $permissionModification = 
        New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
    $permissionModification.Operation = "ADS_PROPERTY_APPEND"
    $permissionModification.Permission = $permission

    $mailboxRights = $mailboxParams.MailboxRights

    $mailboxRights.AddModification($permissionModification)
    $mailboxParams.MailboxRights = $mailboxRights

    # OneDrive permissions
    try
    {
        Set-SPOUser -Site $userProfile.PersonalUrl -LoginName $userName -IsSiteCollectionAdmin $True -ErrorAction Stop
    }
    catch
    {
        $Context.LogMessage("An error occured when adding permission for $userName. Error: " + $_.Exception.Message, "Warning")
    }

    if ($address -ne $NULL)
    {
        $Context.SendMail($address, $subject, $message, $NULL)
    }
}

# Update user mailbox
$Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")

Script for Scheduled Task
To include the URL to user's OneDrive, use a value reference for the property that stores the URL (e.g. %adm-CustomAttributeText1%)

$attributeName = "seeAlso" # TODO: modify me
$message = "My Message URL: %adm-CustomAttributeText1%" # TODO: modify me
$subject = "My Subject" # TODO: modify me

$userDNs = @()
try
{
    $managerDN = $Context.TargetObject.Get("manager")
    $userDNs += $managerDN
}
catch
{
    $Context.LogMessage("Manager not specified.", "Warning")
}

try
{
    $values = $Context.TargetObject.GetEx($attributeName)
    $values | %%{$userDNs += $_}
}
catch
{
    $Context.LogMessage("Attribute $attributeName is empty.", "Warning")
}

if ($userDNs.Length -eq 0)
{
    return
}

foreach ($dn in $userDNs)
{
    $user = $Context.BindToObjectByDN($dn)
    $address = $user.Get("mail")

    $Context.SendMail($address, $subject, $message, $NULL)
}

---

Hi Support,

Thank you very much for all the help. These scripts are perfect and are working as intended.

Is there an easy way to test out the schedule task.

Kind Regards,
Shuja

---

Hello Shuja,

Sure, you can add only one test account to the Activity Scope of the Business Rule and Scheduled Task and then execute the Action for the user. To test the Scheduled Task conditions for different number of days, you can manually update the custom date attribute and then manually run the Scheduled Task using the Run Now button.

---

Hi Support,

Thank you for the clarifications. It is all working like a charm.

If I could ask you for one last favour on this one. Can we add a PS script just before the "Delete the User" action in the schedule task that can set the Auto mapping of the terminated user's mailbox to false for the "Manager" and the "SeeAlso" as that sometimes keeps showing up in outlook even when the user has been deleted.

Kind Regards,
Shuja

---

Hello Shuja,

The thing is that to disable auto mapping, you need to first revoke the full access permissions and then grant them again with auto mapping disabled. Also, there is no guarantee that this approach will solve the issue your users are facing. We recommend to revoke the full access permissions from the manager and additional delegates (specified in the See Also property) before deleting the user. If this solution meets your needs, we will provide you with the script.

---

Hi Support,

I think the suggestion below would meet our requirements. Could you please send us the script for revoking access for manager and delegates.

Kind Regards,
Shuja

---

Hello Shuja,

You need to use the below script:

$attributeName = "seeAlso" # TODO: modify me

function GetPropertyValue($property, $userDNs)
{
    try
    {
        $values = $Context.TargetObject.GetEx($property)
    }
    catch
    {
        return
    }

    foreach ($value in $values)
    {
        [void]$userDNs.Add($value)
    }
}

$userDNs = New-Object System.Collections.ArrayList
GetPropertyValue "manager" $userDNs
GetPropertyValue $attributeName $userDNs

if ($userDNs.Count -eq 0)
{
    return
}

# Revoke permissions
$mailboxParams = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxParameters"
foreach ($dn in $userDNs)
{
    # Mailbox permissions
    $objReference = New-Object "Softerra.Adaxes.Adsi.AdmObjectReference"
    $objReference.ObjectDN = $dn

    $permission = New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxPermission"
    $permission.AllowedRights = "ADM_EXCHANGE_MAILBOX_RIGHTS_FULL_ACCESS"
    $permission.Trustee = $objReference

    $permissionModification = 
        New-Object "Softerra.Adaxes.Adsi.Exchange.AdmExchangeMailboxRightsModification"
    $permissionModification.Operation = "ADS_PROPERTY_DELETE"
    $permissionModification.Permission = $permission

    $mailboxRights = $mailboxParams.MailboxRights

    $mailboxRights.AddModification($permissionModification)
    $mailboxParams.MailboxRights = $mailboxRights
}

# Update user mailbox
$Context.TargetObject.SetMailParameters($mailboxParams, "ADM_SET_EXCHANGE_PARAMS_FLAGS_NONE")

Just add it to the Scheduled Task before the Delete User action.

---

Thank you very much. I will test and let you know if there are any issues.