Skip to main content

Microsoft Offboarding Steps - Troubleshooting

  • Updated

Generic errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • If the Microsoft / Google APIs that we use to perform the operations are down, then we will receive errors.

 

Request Approval

Overview

The executor of the workflow will be prompted to approve the offboarding. 

The notification will be sent in both Manage, within the Notifications section, and by email. When approving via email, the executor will be taken to the “Offboard User” view and allow them to approve the Offboarding there.

The email will be re-sent every 24 hours asking for approval. 

Once approved the offboarding will then continue onto the next step in the workflow. 

 

Expected Outcome

After approval of the offboarding the next step in the workflow should begin processing.

 

Possible Errors

  • An error could occur if the user that is meant to approve the offboarding has been deleted.
  • If a group is set as the executor, a “user” won't be able to approve.

 

Prompt For Resource Allocation

Overview

A prompt will be sent to the executor to set the target destination for the steps selected in the Offboarding Step. These destinations are then used to override the original destinations set at an overall offboarding workflow level. This will allow the user to set up a target for that specific user’s offboarding that will override the workflow settings.

Before the allocations are confirmed, the user can “check” whether the targets are valid users. A target can be an external user or a group mail address, but this could cause errors when performing the migrations, so the “check” will validate whether the targets set are valid user profiles. If not, then the step can still proceed but errors may occur due to the targets chosen.

The Offboarding process will not proceed until all resources have been allocated.

 

Expected Outcome

After approval of the resource allocation the next step in the workflow should begin processing.

The targets for the steps specified for approval should then be the set up for those steps.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the Source platform.
  • For the steps specified, as stated above, if the target is not a User account registered within CloudM Manage, this could cause an error during the processing of those steps.
  • If the target user doesn’t have drive or mail enabled or have the correct licences this could also cause issues.

 

Change Password

Overview

Changes the password to a random 16 digit alphanumeric code for the user.

 

Expected Outcome

The user is unable to login with their old password and the new password is not made visible to anyone once the change has been applied.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.

 

Revoke Application User's Accounts

Overview

For this step to be selectable for a workflow at least 1 Integration must be installed within CloudM Manage.

Any accounts the user has on any of the installed integrations configured in the workflow step will be locked down so the user can no longer access them and the integrations will not be able to act on the users behalf.

In some cases, depending on the third party application and how it has been configured within CloudM Manage, this could mean suspending the user account in the application, revoking their license or deleting the user account.

 

Expected Outcome

The user will not be able to log in to any of the accounts in the configured applications that have been integrated with CloudM Manage. The user accounts should have had any action performed on them too as set up in the Offboarding and / or Integrations.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • If the Integration has been removed since setting up the Offboarding or the authorization for the application is no longer valid, this could cause an error while trying to perform any operations in that application.
  • If the API we use for the 3rd party application is down, then this will return errors when trying to perform this step.

 

Revoke OAuth Tokens

Overview

Any OAuth tokens that have been issued for the user’s account will be revoked, along with any cookies contained within browsers. This will stop any applications accessing the user’s account on their behalf.

One of the following permissions must have been granted for us to perform this operation:
User.ReadWrite.All, Directory.ReadWrite.All. In the vast majority of cases, these permissions will have already been approved by the admins when logging into CloudM Manage.

 

Expected Outcome

All OAuth tokens removed for the user and applications can no longer perform operations on behalf of the user or access their information.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • We will be unable to revoke the tokes if one of the following permissions has not been granted and will result in an error: User.ReadWrite.All, Directory.ReadWrite.All

 

Set Out of Office Message

Overview

The user will have the specified Out of Office settings applied to them. A subject and message can be provided for the email that is returned to anyone trying to contact this user. An executor can be selected and used in the subject or message as an alternative person to contact. 

The settings that are used are as follows: 

  • Always active - no schedule has been set.
  • Active for all people contacting the user, not just people within their domain or on their contacts list.

 

Expected Outcome

The Out of Office settings are set for the user and any emails sent to them will be automatically replied to with the configured subject and message.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • An error will occur if the user does not have a valid Office 365 license as we will be unable to access their Mailbox.

 

Delegate Access

Overview

The user’s mailbox will be delegated to the executor defined on the workflow level so that they can access the users emails and send them on behalf of the offboarded user.

If the executor does not have an Office 365 license then access will not be delegated.

This step uses powershell, so the “Configure Exchange Online Access” flow within CloudM Manage on the Domain Settings page must be configured in order for us to use the Powershell application.

 

Expected Outcome

The executor now has access to the offboarded user’s mailbox.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • An error will occur if the domain has not had an account go through the “Configure Exchange Online Access” flow within CloudM Manage as we will be unable to authenticate with Microsoft.
  • Sometimes the credentials used in the “Configure Exchange Online Access” can be invalidated and in that case the token needs to be refreshed using the flow.
  • Sometimes the Powershell operation can fail since a maximum of only 5 Powershell sessions are available across a tenant. If CloudM Manage cannot gain access to one of these sessions then this step will fail.

 

Hide User

Overview

Hides the user from the Global Address List (GAL).

This step uses powershell, so the “Configure Exchange Online Access” flow within CloudM Manage on the Domain Settings page must be configured in order for us to use the Powershell application.

The user must also not be of the type Guest user and must have an exchange license.

 

Expected Outcome

The user does not appear on the Global Address List.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • An error will occur if the domain has not had an account go through the “Configure Exchange Online Access” flow within CloudM Manage as we will be unable to authenticate with Microsoft.
  • Sometimes the credentials used in the “Configure Exchange Online Access” can be invalidated and in that case the token needs to be refreshed using the flow.
  • Sometimes the Powershell operation can fail since a maximum of only 5 Powershell sessions are available across a tenant. If CloudM Manage cannot gain access to one of these sessions then this step will fail.

 

Rename User

Overview

The user is renamed in both CloudM Manage and the source platform, giving them an email address in the format specified in the step. By default this is a random ID.

 

Expected Outcome

The user is renamed in the correct format.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • If this step is used with other offboarding steps, there is a chance an error is shown that the profile can not be located. However, the offboarding process will continue without issues.

 

Assign Alias

Overview

The user’s old email address is added as an alias to the person specified in the workflow step.

 

Expected Outcome

An alias is on the specified user for the offboarded user’s old email address.

 

Possible Errors

An error could occur if the user being offboarded has already been deleted within the source platform.

 

Archive

Overview

The user's data is archived to long term storage which can be restored to another user account at a later date. The bucket where the information is to be archived can also be configured.

When archiving emails and documents a query can be provided to only archive certain items or all of them.

 

Expected Outcome

The items that were selected and matched any queries were archived to the bucket.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • Sometimes a file can fail to be processed by the Microsoft API and this will cause the step to fail. This can specifically happen if a file is listed as malware.
  • If a user is archived more than once, we can hit an issue with the fair use policy limit.
  • Sometimes a file can fail to be processed by the Microsoft API and this will cause the step to fail. This can specifically happen if a file is listed as malware.

 

Known Errors

  • User is already archived to another bucket. This will show up if an admin tries to archive the user to a secondary bucket if the user already has data backed up to a primary bucket.
  • Invalid License Key - This will show if the license key is invalid from the portal key. A newly generated portal key will push it to the Manage instance and they should be in sync again.

 

Transfer Ownership of Documents

Overview

Any folders and documents that are owned by the offboarded user will be copied to the specified new owner account under the specified folder name. These are configured in the workflow step.

The folders and documents are placed in a new folder named using a template which can include profile attribute placeholders. If the user has multiple OneDrive document libraries, each will be migrated into a new folder created underneath the specified one. Alternatively, if the folder name template contains $library then that will be replaced with the name of the OneDrive document library.

Long folder paths may be truncated depending on the length of the new owner’s primary email address, the library name and the new folder name after the template has been expanded.  Truncated folder and document names will have a ~1 suffix where 1 will be incremented to avoid name collisions.

We ensure any folder and document shares are maintained. 

A count of successful and failed files and folders are recorded in the CloudM Manage Audit Logs.

Without this step, any documents that the user hasn't shared will be deleted by Microsoft depending on the OneDrive retention policy.

 

Expected Outcome

The items that were owned by the user across all their OneDrive document libraries have been copied to the new owner that was specified in the workflow step.

The majority of the existing file structure has been preserved.

Any shares that were present have been recreated.

 

Possible Errors

  • An error could occur if the User being offboarded has already been deleted within the source platform.
  • An error could occur if either of the users do not have a mailbox license.

 

Migrate Calendar Events

Overview

The offboarded user’s primary calendar, as well as any calendars that they have created, are transferred to the specified user. 

The primary calendar is cloned and created in the target user’s calendar with the naming format specified in the workflow. 

The secondary calendars are cloned in the same way as the primary, but their name is the same as the existing calendar with the offboarded user’s original email address appended to it. 

Any recurring events are not linked to the original, they are just copies of the meetings in the offboarded user’s original calendar.

 

Expected Outcome

The calendars have been migrated to the specified user’s calendar. The primary calendar will have a name matching the one specified in the workflow step and any secondary calendars will have the same name but with the offboarded user’s original email address appended.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.

 

Transfer Ownership of Groups

Overview

The ownership of any groups that the offboarded user is the owner of are transferred to the specified user. The new owner can be specified in the workflow step.

Any existing members or admins of the groups will not be changed.

 

Expected Outcome

The ownerships of the groups are transferred to the specified user and all existing access remains.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.

 

Transfer Contacts

Overview

The contacts from the offboarded user’s contacts are transferred to the specified user’s contacts with a folder name matching that of what has been configured in the workflow step.

 

Expected Outcome

A folder matching the name specified in the workflow containing the contacts from the offboarded user’s contacts.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.

 

Remove From Groups

Overview

The offboarded user is removed from any groups that they are a member of.

If the user is included in any Groups or Smart Teams that have dynamic memberships based on search queries, they could be re-added to the group depending on the query.

 

Expected Outcome

The user is removed from any groups.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.

 

Migrate Emails

Overview

The offboarded user’s emails are migrated to the specified user. 

The emails will be placed into a folder with a name specified in the workflow settings. The original folder structure of the emails will be preserved during the migration, using the newly created folder as the root. 

A query can also be used to only migrate emails matching the query. This query uses Microsoft’s EWS Advanced Query String syntax.

A tolerance level can also be entered. This will mean that if the total failure rate of the transferred emails is above the threshold then the step is marked as “Failed”. 

A target for the email migration can only have one active migration at a time. This will mean that if 5 offboarded users all have the same target they will be processed one at a time. 

If the 5 offboarded users have different targets, they will be done in parallel. 

We feedback statistics on the migration periodically into CloudM Manage that can be viewed when looking at the user’s offboarding.

If this step is added to a workflow then the “Convert to Shared Mailbox” step cannot be added.

If the step is aborted within CloudM Manage, the migration will actually continue to proceed. This will mean that if the step is aborted and then restarted, it may carry on with the existing migration since it was not stopped.

 

Expected Outcome

The emails matching the query are migrated to the specified user, under a folder having the name matching the provided template and has the same folder structure when in the offboarded user’s mailbox.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • If the target user does not have an Exchange license then the migrations will fail.

 

Convert to Shared Mailbox

Overview

The offboarded user’s mailbox is converted into a Shared Mailbox 

Users can also list users that can be added as delegates to the shared mailbox. 

When converting to a shared mailbox, we do not remove the license at this time. 

It can be removed in the later offboarding step of “Unassign licenses”.

This step uses Powershell, so the “Configure Exchange Online Access” flow within CloudM Manage on the Domain Settings page must be configured in order for us to use the Powershell application. 

If this step is added to a workflow then the “Migrate Emails” and “Delete User” steps cannot be added.

 

Expected Outcome

The emails matching the query are migrated to the specified user, under a folder having the name matching the provided template and has the same folder structure when in the offboarded user’s mailbox.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • An error will occur if the domain has not had an account go through the “Configure Exchange Online Access” flow within CloudM Manage as we will be unable to authenticate with Microsoft.
  • Sometimes the credentials used in the “Configure Exchange Online Access” can be invalidated and in that case the token needs to be refreshed using the flow. 
  • Sometimes the Powershell operation can fail since a maximum of only 5 powershell sessions are available across a tenant. If CloudM Manage cannot gain access to one of these sessions, then this step will fail.

 

Unassign Licenses

Overview

Any licenses that the offboarded user has are unassigned.

We will output a list of the licenses that have been removed, some of which may be legacy licenses meaning that there will be less information about them in the CloudM Manage audit logs.

 

Expected Outcome

Any licenses are removed from the user.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • If the user has auto-licensing setup then we may be unable to remove the licenses that are managed in this way.

 

Suspend User

Overview

The user’s account will be suspended so that they cannot login or use any services.

 

Expected Outcome

The user is suspended and cannot login.

 

Possible Errors

An error could occur if the user being offboarded has already been deleted within the source platform.

 

Delete User

Overview

The user is deleted from the tenant, both within CloudM Manage and Microsoft.

If this step is added to the workflow then the “Convert to Shared Mailbox” step cannot be added.

 

Expected Outcome

The user is deleted.

 

Possible Errors

An error could occur if the user being offboarded has already been deleted within the source platform.

 

Comments

0 comments

Please sign in to leave a comment.