Configure user deprovisioning

When an employee leaves, many steps must be taken to ensure the user is properly deprovisioned. Depending on your policies, it might be necessary to disable the user account, remove it from security groups, hide from Exchange address lists, revoke Microsoft 365 licenses, block access to Microsoft 365 services, etc.

With the help of custom commands you can streamline the whole process to a single step. Adaxes provides a built-in custom command, Deprovision, that is pre-configured to perform a set of typical deprovisioning operations. In this tutorial, you will learn how to customize the command to meet the needs of your specific environment.

  1. Launch Adaxes administration console.

     How
    • On the computer where Adaxes administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Expand Adaxes service \ Configuration \ Custom Commands \ Builtin and select Deprovision.

  3. On the right, delete the actions you don't need. Review and change the default settings of other actions.

    Actions are grouped into action sets which are executed in order, from top to bottom. To change the order, use the arrow buttons. To move the whole set, make sure no actions and conditions are selected.

  4. To add an action, right-click a set of actions, and then click Add Action in the context menu.

    Example 1 – Move the user to a specific organizational unit

     Step by step
    • Select the Move the user action.

    • In the Action Parameters section, specify the destination organizational unit and click OK.

    Example 2 – Move the user to the OU named Deprovisioned users, located in the user's domain

     Step by step
    • Select the Move the user action.

    • In the Action Parameters section, click the button.

    • Activate the Template tab.

    • Enter OU=Deprovisioned users,%adm-DomainDN% in the Template field.

      Value reference %adm-DomainDN% will be replaced with the distinguished name (DN) of the user's domain. For example, when deprovisioning a user from example.com domain, the user's account will be moved to OU=Deprovisioned users,DC=example,DC=com.

      To move the user to an organizational unit located directly under the user's OU, use value reference %adm-ParentDN%.

      To insert a value reference, click the button.

    • Click OK.

    Example 3 – Remove the user from all groups

     Step by step
    • Select the Run a program or PowerShell script action.

    • Click the Edit button to open the script editor.

    • Enter the following script:

      # Get all groups user is a direct member of.
      $groupGuids = $Context.TargetObject.GetEx("adm-DirectMemberOfGuid")
      
      # Get the primary group ID.
      $primaryGroupId = $NULL
      if ($Context.TargetObject.DirectoryType -eq 1)
      {
          $primaryGroupId = $Context.TargetObject.Get("primaryGroupID")
      }
      
      foreach ($groupGuidBytes in $groupGuids)
      {
          # Bind to the group.
          $groupGuid = New-Object "System.Guid" (,$groupGuidBytes)
          $groupGuid = $groupGuid.ToString("B")
          $groupPath = "Adaxes://<GUID=$groupGuid>"
          $group = $Context.BindToObject($groupPath)
          
          # Skip Entra ID dynamic groups.
          try
          {
              $dynamicMembership = $group.Get("adm-AzureDynamicMembership")
          }
          catch
          {
              $dynamicMembership = $False
          }
          if ($dynamicMembership -eq $True)
          {
              continue
          }    
          
          # Skip primary group.
          if ($group.DirectoryType -eq 1 -and $group.Get("primaryGroupToken") -eq $primaryGroupId)
          {
              continue
          }
      
          # Remove user from the group.
          $group.Remove($Context.TargetObject.AdsPath)
      }
      

      For information on how to create scripts for custom commands, see Server-side scripting.

    • When done, click OK two times.

  5. To execute an action only if certain conditions are met, you need to add the action to a separate set and assign the necessary conditions to it.

    • Click Add new action set.

    • To assign a condition to the new set, right-click it and then click Add Condition in the context menu.

    • To add an action to the set, right-click it and then click Add Action.

    Example 1 – Cancel the deprovisioning if the username is prefixed with an underscore

    Example 2 – Send an email to the user's manager if the Manager property of the user is not empty

    To send an email to the user's manager, use value reference %adm-ManagerEmail%.

     View screenshot

    Example 3 – Request approval if the Employee type of the user does not equal Subcontractor

    When a custom command is sent for approval, all actions following the Send for approval action are suspended. Even if they are in different action sets.

  6. To modify the confirmation text for the command, click Edit next to the Confirmation checkbox.

  7. When done, click Save changes.

  8. To modify the description of the command:

    • Right-click the custom command and then click Properties in the context menu.

    • In the Description field, type required text.

      The description is displayed as a tooltip for the command.

    • Click OK.

Scheduled deprovisioning

When you execute the Deprovision custom command, the user is deprovisioned immediately. In some cases, it may be preferable to schedule offboarding for a later date. For example, to align with other processes in the company.

In this part of the tutorial, you will learn how to mark users for deprovisioning at a specific date, and how to configure a scheduled task that will execute the Deprovision command on that date.

Mark users for deprovisioning

To mark users for deprovisioning, you need to choose a property for storing the offboarding date. We recommend using one of the Adaxes virtual date properties (e.g. CustomAttributeDate1), though any unused date property in AD or Entra ID will work. You can optionally change the display name of this property to a user-friendly one, like Offboarding date.

 How to change the property display name {.mb-12}
  • Launch Adaxes administration console.

  • Right-click your Adaxes service and then click Property Display Names in the context menu.

  • In the dialog that opens, click Add and type the property name in the drop-down list.

  • Select the property you want to specify a display name for.

  • Enter the display name in the dialog that opens.

  • To specify a custom display name for a specific object type, click Add type-specific display name.

  • Click OK.

The next step is creating a custom command which you will use to set the offboarding date.

  1. Launch Adaxes administration console.

     How
    • On the computer where Adaxes administration console is installed, open Windows Start menu.

    • Click Adaxes Administration Console.

  2. Right-click your Adaxes service, point to New and click Custom Command.

  3. Enter a name for the new custom command, select an icon, provide a description and the confirmation text.

    Click Next.

  4. Select the User object type.

    Click Next.

  5. On the Parameters step, add a Date/Time picker parameter.

     How to add a parameter
    • Click New.

    • Select Date/Time picker and click Next.

    • Enter the parameter name and display name.

    • Click Next.

    • Select the Minimum value checkbox, and then click the button.

    • In the dialog that opens, specify Current date/time - plus - 1 - day to only allow selecting dates in the future.

    • Click OK.

    • Click Finish.

    When done, click Next.

  6. Click Add an action.

  7. Select the Update the user action. Then, click Add in the Action Parameters section.

  8. Select the property you chose for storing the offboarding dates and click the button next to the New value field.

    Select your Date/Time picker parameter in the drop-down list.

    Click OK three times.

  9. Follow the instructions in the wizard to finish creating the custom command.


For more details about creating custom commands, see Create custom command.

Configure scheduled task for deprovisioning

  1. Launch Adaxes administration console.

  2. Right-click your Adaxes service, point to New and click Scheduled Task.

  3. Enter a name for the new scheduled task, and click Next.

    It is recommended to use nouns to name scheduled tasks (e.g. User Offboarder), because this task will appear as the operation initiator in the Adaxes log and approval email notifications.

  4. Select Daily and configure the time when the task should run.

    Click Next.

  5. Select the User object type.

    Click Next.

  6. Click Add an action.

  7. Select the Execute a Custom Command action and specify the Deprovision custom command in the Action Parameters section.

    Click OK.

  8. Right-click the action set, and then click Add Condition in the context menu.

  9. Select the If <property> <relation> <value> condition.

    In the Condition Parameters section, specify CustomAttributeDate1 - equals - %datetime%. Replace CustomAttributeDate1 with the name of the property where the offboarding date is saved when users are marked for deprovisioning.

    Click OK.

    Optionally, add another action that will clear the value of CustomAttributeDate1. This is not strictly necessary, but can help prevent scenarios where a user is deprovisioned twice if the task is executed multiple times during the same day. For instance, if someone runs the task manually after it has already ran on schedule.

     Screenshot
  10. Click Next.

  11. On the Activity Scope step, click Add.

    The activity scope should include all users that can theoretically be deprovisioned. The scheduled task will run daily and check every user within the activity scope, but will execute the Deprovision custom command only for those whose offboarding date matches the current date.

    Select from the following items:

    • All Objects – select to perform the task on all objects of the specified type in all domains managed by Adaxes.

    • Domain – select to perform the task on all objects of the specified type within a specific domain.

    • OU or Container – select to perform the task on the objects located in an organizational unit or container.

    • Group – select to perform the task on members of a group.

    • Business Unit – select to perform the task on members of a business unit. To select a business unit, open the Look in drop-down list and select the Business Units item.

    You can exclude specific objects, groups, organizational units, business units and domains from the activity scope of the task. For example, if you assigned the task over all objects in a domain, but do not want it to be executed on members of a certain group, you can exclude the group from the activity scope. To exclude an object, select the Exclude the selection option in the Assignment Options dialog box.

     Step by step
    • Make sure objects of the desired type are displayed in the list.

    • Click the object you want to exclude.

    • In the Assignment Options dialog, select the Exclude the selection option.

    • Click OK.

  12. Click OK and then click Finish.

See also