Configure user deprovisioning

When an employee leaves, many steps must be taken to ensure the user is properly deprovisioned. Depending on your policies, it might be necessary to disable the user account, remove it from security groups, hide from Exchange address lists, revoke Microsoft 365 licenses, block access to Microsoft 365 services, etc.

With the help of custom commands you can streamline the whole process to a single step. Adaxes provides a built-in custom command, Deprovision, that is pre-configured to perform a set of typical deprovisioning operations. In this tutorial, you will learn how to customize the command to meet the needs of your specific environment.

  1. Launch Adaxes Administration console.

     How { #collapse1}
    • On the computer where Adaxes Administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Expand Adaxes service \ Configuration \ Custom Commands \ Builtin and select Deprovision.

  3. On the right, delete the actions you don't need. Review and change the default settings of other actions.

    Actions are grouped into actions sets which are executed sequentially. To change the order, use the buttons. To move the whole set, make sure no actions and conditions are selected.

  4. To add an action, right-click a set of actions, and then click Add Action in the context menu.

    Example 1 – Move the user to a specific organizational unit

     Step by step {id=collapse1}
    • Select the Move the user action.

    • In the Action Parameters section, specify the destination organizational unit and click OK.

    Example 2 – Move the user to the organizational unit named Deprovisioned, located in the user's domain

     Step by step {id=collapse2}
    • Select the Move the user action.

    • In the Action Parameters section, click the button.

    • Activate the Template tab.

    • Enter OU=Deprovisioned,%adm-DomainDN% in the Template field.

      Value reference %adm-DomainDN% will be replaced with the distinguished name (DN) of the user's domain. For example, when deprovisioning a user from example.com domain, the user's account will be moved to OU=Deprovisioned,DC=example,DC=com.

      To move the user to an organizational unit located directly under the user's OU, use value reference %adm-ParentDN%.

      To insert a value reference, click the button.

    • Click OK.

    Example 3 – Remove the user from all groups

     Step by step { #collapse3}
    • Select the Run a program or PowerShell script action.

    • Click the Edit button to open the script editor.

    • Enter the following script:

      # Get all groups user is a direct member of.
      $groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
      
      # Get the primary group ID.
      $primaryGroupId = $NULL
      if ($Context.TargetObject.DirectoryType -eq 1)
      {
          $primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
      }
      
      foreach ($groupGuidBytes in $groupGuids)
      {
          # Bind to the group.
          $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
          $groupGuid = $groupGuid.ToString("B")
          $groupPath = "Adaxes://<GUID=$groupGuid>"
          $group = $Context.BindToObject($groupPath)
          
          # Skip Entra ID dynamic groups.
          try
          {
              $dynamicMembership = $group.Get("adm-AzureDynamicMembership")
          }
          catch
          {
              $dynamicMembership = $False
          }
          if ($dynamicMembership -eq $True)
          {
              continue
          }    
          
          # Skip primary group.
          if ($group.DirectoryType -eq 1 -and $group.Get("primaryGroupToken") -eq $primaryGroupId)
          {
              continue
          }
      
          # Remove user from the group.
          $group.Remove($Context.TargetObject.AdsPath)
      }
      

      For information on how to create scripts for custom commands, see Server-side scripting.

    • When done, click OK two times.

  5. To execute an action only if certain conditions are met, you need to add the action to a separate set and assign the necessary conditions to it.

    • Click Add new action set.

    • To assign a condition to the new set, right-click it and then click Add Condition in the context menu.

    • To add an action to the set, right-click it and then click Add Action.

    Example 1 – Cancel the deprovisioning if the username is prefixed with an underscore

    Example 2 – Send a notification to the user's manager if the Manager property of the user is not empty

    To send an email to the user's manager, use value reference %adm-ManagerEmail%.

     View screenshot { #collapse4}

    Example 3 – Request approval if the Employee Type of the user does not equal Subcontractor

    When a custom command is sent for approval, all actions following the Send for approval action are suspended. Even if they are in different action sets.

  6. To modify the confirmation text for the command, click Edit next to the Confirmation checkbox.

  7. When done, click Save changes.

  8. To modify the description of the command:

    • Right-click the custom command and then click Properties in the context menu.

    • In the Description field, type required text.

      The description is displayed as a tooltip for the command.

    • Click OK.

See also