[GH-ISSUE #57] Feature Request: Offboarding user Wizard #36

New issue

Closed

opened 2026-03-02 12:03:18 +03:00 by kerem · 5 comments

kerem commented 2026-03-02 12:03:18 +03:00

Owner

Copy link

Originally created by @KelvinTegelaar on GitHub (Oct 18, 2021).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/57

Originally assigned to: @KelvinTegelaar on GitHub.

Describe the solution you'd like
I'd like to be able to have engineers run a Wizard to offboard a user, with checkboxes to convert a user to a shared mailbox, remove the licenses, block sign-in, and set an OoO.

Describe alternatives you've considered
manually doing it, blergh

Originally created by @KelvinTegelaar on GitHub (Oct 18, 2021). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/57 Originally assigned to: @KelvinTegelaar on GitHub. **Describe the solution you'd like** I'd like to be able to have engineers run a Wizard to offboard a user, with checkboxes to convert a user to a shared mailbox, remove the licenses, block sign-in, and set an OoO. **Describe alternatives you've considered** manually doing it, blergh

kerem 2026-03-02 12:03:18 +03:00

• closed this issue
• added the
  enhancement
  Planned
  labels

kerem commented 2026-03-02 12:03:19 +03:00

Author

Owner

Copy link

@dbeta commented on GitHub (Oct 18, 2021):

You read my mind. To give details of our process:

1. Disable Sign-in
2. Reset Password
3. Convert to Shared Mailbox
4. Remove License
5. Setup delegated access to mailbox (Disable auto populate to Outlook desktop app)
6. Setup delegated access to Onedrive.

We don't do self service password resets, but that should probably be disabled as well.

Useful feedback for the technician:

1. Onedrive URL
2. OWA URL

<!-- gh-comment-id:945709422 --> @dbeta commented on GitHub (Oct 18, 2021): You read my mind. To give details of our process: 1. Disable Sign-in 2. Reset Password 3. Convert to Shared Mailbox 4. Remove License 5. Setup delegated access to mailbox (Disable auto populate to Outlook desktop app) 6. Setup delegated access to Onedrive. We don't do self service password resets, but that should probably be disabled as well. Useful feedback for the technician: 1. Onedrive URL 2. OWA URL

kerem commented 2026-03-02 12:03:20 +03:00

Author

Owner

Copy link

@wezzydev commented on GitHub (Oct 18, 2021):

I have created an off-boarding Powershell script that does the following for Azure. I have a separate one for 365 only (Just so you can get some ideas)

• Remove from 365 groups
• Find out if the server is syncing via mail or UPN attribute in AD (For Azure AD Sync)
• Sets the mail nickname attribute based on their AD username
• Hides from global address list in 365
• Converts to shared mailbox in 365
• Removes licenses from account in 365
• Automatically resets the password in AD and checks the last password reset date/time to confirm it has been changed to something random
• Sets mailbox forwarding and mailbox access
• Disabled account in AD and moves it to an OU. This part is filtered based on OU name and is looking for something like "Azure" and will ask the engineer if they want to choose that OU. If they select No, then it will look another another and confirm if they want to move into that one, etc.
• Makes sure Azure AD Connect is not open as this can cause issues
• Forces an Azure sync

<!-- gh-comment-id:945809307 --> @wezzydev commented on GitHub (Oct 18, 2021): I have created an off-boarding Powershell script that does the following for Azure. I have a separate one for 365 only (Just so you can get some ideas) - Remove from 365 groups - Find out if the server is syncing via mail or UPN attribute in AD (For Azure AD Sync) - Sets the mail nickname attribute based on their AD username - Hides from global address list in 365 - Converts to shared mailbox in 365 - Removes licenses from account in 365 - Automatically resets the password in AD and checks the last password reset date/time to confirm it has been changed to something random - Sets mailbox forwarding and mailbox access - Disabled account in AD and moves it to an OU. This part is filtered based on OU name and is looking for something like "Azure" and will ask the engineer if they want to choose that OU. If they select No, then it will look another another and confirm if they want to move into that one, etc. - Makes sure Azure AD Connect is not open as this can cause issues - Forces an Azure sync

kerem commented 2026-03-02 12:03:20 +03:00

Author

Owner

Copy link

@dbeta commented on GitHub (Oct 18, 2021):

Good call on the GAL, totally forgot that step. If there is some way to break the immutable ID so that syncing stops on that user, without the risk of automatic re-pairing, that would be nice. That was the relationship between the AD account and the AAD account would be permanently broke and I don't have to worry about an AD action causing an AAD reaction.

This is important since the process is obviously going to be disconnected between AAD and AD, since I don't see any AD interactions to be in-scope of CIPP.

<!-- gh-comment-id:945861985 --> @dbeta commented on GitHub (Oct 18, 2021): Good call on the GAL, totally forgot that step. If there is some way to break the immutable ID so that syncing stops on that user, without the risk of automatic re-pairing, that would be nice. That was the relationship between the AD account and the AAD account would be permanently broke and I don't have to worry about an AD action causing an AAD reaction. This is important since the process is obviously going to be disconnected between AAD and AD, since I don't see any AD interactions to be in-scope of CIPP.

kerem commented 2026-03-02 12:03:20 +03:00

Author

Owner

Copy link

@KelvinTegelaar commented on GitHub (Oct 23, 2021):

Almost done on this, perfecting some API error handling. :)

<!-- gh-comment-id:950187958 --> @KelvinTegelaar commented on GitHub (Oct 23, 2021): Almost done on this, perfecting some API error handling. :)

kerem commented 2026-03-02 12:03:20 +03:00

Author

Owner

Copy link

@KelvinTegelaar commented on GitHub (Oct 25, 2021):

Added in dev build

<!-- gh-comment-id:950654768 --> @KelvinTegelaar commented on GitHub (Oct 25, 2021): Added in dev build

kerem referenced this issue 2026-03-02 13:57:59 +03:00

[PR #1677] [MERGED] Add Delete GDAP Role Mapping #3359

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

docs

dev

dependabot/npm_and_yarn/dev/uiw/react-json-view-2.0.0-alpha.42

dependabot/npm_and_yarn/dev/tanstack/react-query-persist-client-5.96.2

dependabot/npm_and_yarn/dev/mui-tiptap-1.30.0

dependabot/npm_and_yarn/dev/tanstack/react-query-devtools-5.96.2

dependabot/npm_and_yarn/dev/recharts-3.8.1

dependabot/github_actions/dev/actions/setup-node-6.4.0

copilot/add-alert-for-report-only-ca

release/beta

release/nightly

docs-maintenance

v10.4.0

v10.3.0

v10.2.0

v10.1.0

v10.0.0

v8.8.0

v8.7.0

v8.6.0

v8.5.0

v8.4.0

v8.3.0

v8.2.0

v8.1.0

v8.0.0

v7.5.0

v7.4.0

v7.3.0

v7.2.0

v7.1.0

v7.0.1

v6.4.0

v6.3.0

v6.2.0

v6.1.0

v6.0.0

v5.9.0

v5.8.5

v5.8.0

v5.7.0

v5.6.0

v5.5.0

v5.4.0

v5.3.0

v5.2.0

v5.1.0

v5.0.0

v4.9.0

v4.8.0

v4.7.0

v.4.6.0

v4.5.0

v4.4.0

v4.3.0

v4.2.0

v4.1.0

v4.0.0

v3.8.0

v3.7.0

v3.6.0

v3.5.0

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.0

v2.20.0

v2.19.0

v2.18.0

v2.17.0

v2.16.0

v2.15.0

v2.13.0

v2.12.0

v2.11.2

v2.1.11.0

v.2.10.0

v2.9.0

v2.8.0

v2.7.0

v2.6.0

v2.5.5

v2.5.0

v2.4.0

v.2.3.0

v2.2.0

v2.1.2

v2.1.1

v2.1.0

v2.0.1

2.0.0

v1.5.1

v1.5.0

v1.4.3

v1.4.2

v1.4.0

v1.3.0

v1.2.1

v1.2.0

1.1.0

release

Labels

Clear labels   

API

  

Feature

  

NotABug

  

NotABug

  

Planned

  

Sponsor Priority

  

Sponsor Priority

  

bug

  

documentation

  

duplicate

  

enhancement

  

needs more info

  

no-activity

  

no-priority

  

not-assigned

  

pull-request

Mirrored from GitHub Pull Request

  

react-conversion

  

react-conversion

  

roadmap

  

security

  

stale

  

unconfirmed-by-user

  

unconfirmed-by-user

  

wontfix

No labels

API

Feature

NotABug

NotABug

Planned

Sponsor Priority

Sponsor Priority

bug

documentation

duplicate

enhancement

needs more info

no-activity

no-priority

not-assigned

pull-request

react-conversion

react-conversion

roadmap

security

stale

unconfirmed-by-user

unconfirmed-by-user

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/CIPP#36

No description provided.