[GH-ISSUE #57] Feature Request: Offboarding user Wizard #36

Closed
opened 2026-03-02 12:03:18 +03:00 by kerem · 5 comments
Owner

Originally created by @KelvinTegelaar on GitHub (Oct 18, 2021).
Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/57

Originally assigned to: @KelvinTegelaar on GitHub.

Describe the solution you'd like
I'd like to be able to have engineers run a Wizard to offboard a user, with checkboxes to convert a user to a shared mailbox, remove the licenses, block sign-in, and set an OoO.

Describe alternatives you've considered
manually doing it, blergh

Originally created by @KelvinTegelaar on GitHub (Oct 18, 2021). Original GitHub issue: https://github.com/KelvinTegelaar/CIPP/issues/57 Originally assigned to: @KelvinTegelaar on GitHub. **Describe the solution you'd like** I'd like to be able to have engineers run a Wizard to offboard a user, with checkboxes to convert a user to a shared mailbox, remove the licenses, block sign-in, and set an OoO. **Describe alternatives you've considered** manually doing it, blergh
kerem 2026-03-02 12:03:18 +03:00
Author
Owner

@dbeta commented on GitHub (Oct 18, 2021):

You read my mind. To give details of our process:

  1. Disable Sign-in
  2. Reset Password
  3. Convert to Shared Mailbox
  4. Remove License
  5. Setup delegated access to mailbox (Disable auto populate to Outlook desktop app)
  6. Setup delegated access to Onedrive.

We don't do self service password resets, but that should probably be disabled as well.

Useful feedback for the technician:

  1. Onedrive URL
  2. OWA URL
<!-- gh-comment-id:945709422 --> @dbeta commented on GitHub (Oct 18, 2021): You read my mind. To give details of our process: 1. Disable Sign-in 2. Reset Password 3. Convert to Shared Mailbox 4. Remove License 5. Setup delegated access to mailbox (Disable auto populate to Outlook desktop app) 6. Setup delegated access to Onedrive. We don't do self service password resets, but that should probably be disabled as well. Useful feedback for the technician: 1. Onedrive URL 2. OWA URL
Author
Owner

@wezzydev commented on GitHub (Oct 18, 2021):

I have created an off-boarding Powershell script that does the following for Azure. I have a separate one for 365 only (Just so you can get some ideas)

  • Remove from 365 groups
  • Find out if the server is syncing via mail or UPN attribute in AD (For Azure AD Sync)
  • Sets the mail nickname attribute based on their AD username
  • Hides from global address list in 365
  • Converts to shared mailbox in 365
  • Removes licenses from account in 365
  • Automatically resets the password in AD and checks the last password reset date/time to confirm it has been changed to something random
  • Sets mailbox forwarding and mailbox access
  • Disabled account in AD and moves it to an OU. This part is filtered based on OU name and is looking for something like "Azure" and will ask the engineer if they want to choose that OU. If they select No, then it will look another another and confirm if they want to move into that one, etc.
  • Makes sure Azure AD Connect is not open as this can cause issues
  • Forces an Azure sync
<!-- gh-comment-id:945809307 --> @wezzydev commented on GitHub (Oct 18, 2021): I have created an off-boarding Powershell script that does the following for Azure. I have a separate one for 365 only (Just so you can get some ideas) - Remove from 365 groups - Find out if the server is syncing via mail or UPN attribute in AD (For Azure AD Sync) - Sets the mail nickname attribute based on their AD username - Hides from global address list in 365 - Converts to shared mailbox in 365 - Removes licenses from account in 365 - Automatically resets the password in AD and checks the last password reset date/time to confirm it has been changed to something random - Sets mailbox forwarding and mailbox access - Disabled account in AD and moves it to an OU. This part is filtered based on OU name and is looking for something like "Azure" and will ask the engineer if they want to choose that OU. If they select No, then it will look another another and confirm if they want to move into that one, etc. - Makes sure Azure AD Connect is not open as this can cause issues - Forces an Azure sync
Author
Owner

@dbeta commented on GitHub (Oct 18, 2021):

Good call on the GAL, totally forgot that step. If there is some way to break the immutable ID so that syncing stops on that user, without the risk of automatic re-pairing, that would be nice. That was the relationship between the AD account and the AAD account would be permanently broke and I don't have to worry about an AD action causing an AAD reaction.

This is important since the process is obviously going to be disconnected between AAD and AD, since I don't see any AD interactions to be in-scope of CIPP.

<!-- gh-comment-id:945861985 --> @dbeta commented on GitHub (Oct 18, 2021): Good call on the GAL, totally forgot that step. If there is some way to break the immutable ID so that syncing stops on that user, without the risk of automatic re-pairing, that would be nice. That was the relationship between the AD account and the AAD account would be permanently broke and I don't have to worry about an AD action causing an AAD reaction. This is important since the process is obviously going to be disconnected between AAD and AD, since I don't see any AD interactions to be in-scope of CIPP.
Author
Owner

@KelvinTegelaar commented on GitHub (Oct 23, 2021):

Almost done on this, perfecting some API error handling. :)

<!-- gh-comment-id:950187958 --> @KelvinTegelaar commented on GitHub (Oct 23, 2021): Almost done on this, perfecting some API error handling. :)
Author
Owner

@KelvinTegelaar commented on GitHub (Oct 25, 2021):

Added in dev build

<!-- gh-comment-id:950654768 --> @KelvinTegelaar commented on GitHub (Oct 25, 2021): Added in dev build
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/CIPP#36
No description provided.