Offboarding an Azure AD synchronized user
I have a question. Does anybody know what the exact off-boarding process would look like for an Azure AD user that is synchronized from an on-premise AD (Windows server AD, see picture below)?
I know what it's like for a normal Azure AD user (I got the information from here: https://www.agileit.com/news/offboarding-office-365/), but I would need to know if there are any differences (for example: differences to completely delete a user, differences in saving OneDrive content, ..).
Here is the process of offboarding a normal Azure AD user (summarized in my own words):
- Sign the user out of OneDrive (initiate sign-out in Microsoft 365 admin center)
Logging the user out of all current sessions:
- Resetting user password in the Microsoft 365 admin center: Create or generate a new passwordSave mailbox content:
- Either: - Migrate the mailbox to another user - Place the mailbox on Litigation Hold (In-Place Hold, via the Exchange Admin Center) - Converting to a shared mailbox(if the offboarding employee has a company owned mobile device) blocking and wiping the employee’s mobile device:
- Wipe data & block under Mobile devices (via Exchange Admin center)- Block access to Office 365 data (after logging the user out of his current sessions) via Microsoft 365 admin center
- Remove the Office 365 license from the user (via Microsoft 365 admin center)
- Remove the license so the payment for it stops (via Microsoft 365 admin center)
- Deleting the user account (via Microsoft 365 admin center)
If any of you guys know any differences, please help me out. Thank you!
most of your points about azure ad user apply to a sync'ed ad user as well. some of the differences would be after logging user out of all current sessions, they wouldn't be logged off of on prem sessions that are logged in via on-prem ad.
I believe the main difference comes in when / how you delete the user. if you disable the user on prem, and it no longer syncs that user to aad, that user will be deleted from aad. along with all the ramifications of deleting the user on aad, mailbox deleted, etc. Basically treat on-prem ad unsync as a delete operation on azure ad. that's the biggest difference.
one of the caveats with both aad and ad deletion is, if you turn the mailbox into a shared mailbox, it still has to be anchored to a user. so if you deleted the user that its anchored to, the mailbox will be in an orphaned state. so be careful with that.
as for one drive, when the user is deleted from aad, their "manager" will automatically get access to their onedrive content for some period of time, usually 30 days, because the content is deleted.
Again, so if you stop syncing a user to azure ad from on-prem, azure ad treats it as a delete operation.
All this to say, all the other steps in that article are azure/o365 related, so follow all those steps, and for the last step of delete, don't delete it from azure ad. Just unsync it or delete from on prem.
- What are CN, OU, DC in an LDAP search?
- PHP LDAP query to get members of specific security Group
- How to authenticate User Credentials against AD from Android Java
- Is there any way to get VBA to get the current user's Full Name from a Windows user account without using CMD?
- LDAP Query via Windows CMD
- powershell foreach-object parallel - Not all properties of piped in object are available
- VBScript: Using WScript.Shell to Execute a Command Line Program That Accesses Active Directory
- Getting Active Directory "SecurityDescriptor" attribute in .net core on linux machine
- Set default server in powershell for AD related commands
- Batch Scripting - Wait until network Established
- ADFS Metadata not accessible from outside
- "é" become "ã©" while using ldap_modify_batch() in php
- Why creating new user and roaming profile creation will result error logging in?
- Having trouble making UserPrincipalName all lowercase in Powershell
- How to Compare Sets of Users
- How to keep the shell window open after running a PowerShell script?
- ExemptFileTypeDownloadWarnings correct registry syntax for intranet URLs
- How do I modify a Boolean LDAP Active Directory attribute using Net::LDAP?
- Get-ACL of Deleted Objects Container
- What is the maximum length of a SID in SDDL format
- IIS "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" SQL connection error, but only for 1 user
- How can I make sure this is a secure LDAP connection and write AD's unicodePwd attribute?
- Windows Property Pages: Domain Path Not Shown on Security Tab
- Azure Entra ID tokens endpoint issues an expired token
- NativeObject try-catch does not catch a timed out error
- Getting "The server could not be contacted." when trying to access active directory
- Can't figure out how to delete a specific computer from AD using power shell. Can't find any solution anywhere
- Powershell - Create new user accounts from CSV & simultaneously populate these new accounts with template account info (Address & group membership)
- Unknown Error (0x80005000) with LDAPS Connection
- How to handle DC replication delay when enabling users and setting properties?