Microsoft Offboarding Steps - Troubleshooting

 

Generic errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • If the Microsoft APIs that we use to perform the operations are down, then we will receive errors.

 

Request Approval

Overview

The executor of the workflow will be prompted to approve the offboarding. 

The notification will be sent in both Automate, within the Notifications section, and by email. When approving via email, the executor will be taken to the “Offboard User” view and allow them to approve the Offboarding there.

The email will be re-sent every 24 hours asking for approval. 

Once approved the offboarding will then continue onto the next step in the workflow. 

 

Expected Outcome

After approval of the offboarding the next step in the workflow should begin processing.

 

Possible Errors

  • An error could occur if the user that is meant to approve the offboarding has been deleted.
  • If a group is set as the executor, a “user” won't be able to approve.

 

Preemptively Suspend User

Overview

The user’s account will be suspended so that they cannot login or use any services.

 

Expected Outcome

The user is suspended and cannot login.

 

Possible Errors

An error could occur if the user being offboarded has already been deleted within the source platform.

 

Prompt For Resource Allocation

Overview

A prompt will be sent to the executor to set the target destination for the steps selected in the Offboarding Step. These destinations are then used to override the original destinations set at an overall offboarding workflow level. This will allow the user to set up a target for that specific user’s offboarding that will override the workflow settings.

Before the allocations are confirmed, the user can “check” whether the targets are valid users. A target can be an external user or a group mail address, but this could cause errors when performing the migrations, so the “check” will validate whether the targets set are valid user profiles. If not, then the step can still proceed but errors may occur due to the targets chosen.

The Offboarding process will not proceed until all resources have been allocated.

 

Expected Outcome

After approval of the resource allocation, the next step in the workflow should begin processing.

The targets for the steps specified for approval should then be set up for those steps.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the Source platform.
  • For the steps specified, as stated above, if the target is not a User account registered within CloudM Automate, this could cause an error during the processing of those steps.
  • If the target user doesn’t have drive or mail enabled or have the correct licences this could also cause issues.

 

Change Password

Overview

Changes the password to a random 16 digit alphanumeric code for the user.

 

Expected Outcome

The user is unable to login with their old password and the new password is not made visible to anyone once the change has been applied.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.

 

Revoke Application User's Accounts

Overview

For this step to be selectable for a workflow at least 1 Integration must be installed within CloudM Automate.

Any accounts the user has on any of the installed integrations configured in the workflow step will be locked down so the user can no longer access them and the integrations will not be able to act on the users behalf.

In some cases, depending on the third party application and how it has been configured within CloudM Automate, this could mean suspending the user account in the application, revoking their license or deleting the user account.

 

Expected Outcome

The user will not be able to log in to any of the accounts in the configured applications that have been integrated with CloudM Automate. The user accounts should have had any action performed on them too as set up in the Offboarding and / or Integrations.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • If the Integration has been removed since setting up the Offboarding or the authorization for the application is no longer valid, this could cause an error while trying to perform any operations in that application.
  • If the API we use for the 3rd party application is down, then this will return errors when trying to perform this step.

 

Revoke OAuth Tokens

Overview

Any OAuth tokens that have been issued for the user’s account will be revoked, along with any cookies contained within browsers. This will stop any applications accessing the user’s account on their behalf.

One of the following permissions must have been granted for us to perform this operation:
User.ReadWrite.All, Directory.ReadWrite.All. In the vast majority of cases, these permissions will have already been approved by the admins when logging into CloudM Automate.

 

Expected Outcome

All OAuth tokens removed for the user and applications can no longer perform operations on behalf of the user or access their information.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • We will be unable to revoke the tokes if one of the following permissions has not been granted and will result in an error: User.ReadWrite.All, Directory.ReadWrite.All

 

Set Out of Office Message

Overview

The user will have the specified Out of Office settings applied to them. A subject and message can be provided for the email that is returned to anyone trying to contact this user. An executor can be selected and used in the subject or message as an alternative person to contact. 

The settings that are used are as follows: 

  • Always active - no schedule has been set.
  • Active for all people contacting the user, not just people within their domain or on their contacts list.

 

Expected Outcome

The Out of Office settings are set for the user and any emails sent to them will be automatically replied to with the configured subject and message.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • An error will occur if the user does not have a valid Office 365 license as we will be unable to access their Mailbox.

 

Rename User

Overview

The user is renamed in both CloudM Automate and the source platform, giving them an email address in the format specified in the step. By default this is a random ID.

 

Expected Outcome

The user is renamed in the correct format.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • If this step is used with other offboarding steps, there is a chance an error is shown that the profile can not be located. However, the offboarding process will continue without issues.
  •  

Archive

Overview

The user's data is archived to long term storage which can be restored to another user account at a later date. The bucket where the information is to be archived can also be configured.

When archiving emails and documents a query can be provided to only archive certain items or all of them.

 

Expected Outcome

The items that were selected and matched any queries were archived to the bucket.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • Sometimes a file can fail to be processed by the Microsoft API and this will cause the step to fail. This can specifically happen if a file is listed as malware.
  • If a user is archived more than once, we can hit an issue with the fair use policy limit.
  • Sometimes a file can fail to be processed by the Microsoft API and this will cause the step to fail. This can specifically happen if a file is listed as malware.

 

Known Errors

  • User is already archived to another bucket. This will show up if an admin tries to archive the user to a secondary bucket if the user already has data backed up to a primary bucket.
  • Invalid License Key - This will show if the license key is invalid from the portal key. A newly generated portal key will push it to the Automate instance and they should be in sync again.

 

Transfer Ownership of Documents

Overview

Any folders and documents that are owned by the offboarded user will be copied to the specified new owner account under the specified folder name. These are configured in the workflow step.

The folders and documents are placed in a new folder named using a template which can include profile attribute placeholders. If the user has multiple OneDrive document libraries, each will be migrated into a new folder created underneath the specified one. Alternatively, if the folder name template contains $library then that will be replaced with the name of the OneDrive document library.

Long folder paths may be truncated depending on the length of the new owner’s primary email address, the library name and the new folder name after the template has been expanded.  Truncated folder and document names will have a ~1 suffix where 1 will be incremented to avoid name collisions.

We ensure any folder and document shares are maintained. 

A count of successful and failed files and folders are recorded in the CloudM Automate Audit Logs.

Without this step, any documents that the user hasn't shared will be deleted by Microsoft depending on the OneDrive retention policy.

 

Expected Outcome

The items that were owned by the user across all their OneDrive document libraries have been copied to the new owner that was specified in the workflow step.

The majority of the existing file structure has been preserved.

Any shares that were present have been recreated.

 

Possible Errors

  • An error could occur if the User being offboarded has already been deleted within the source platform.
  • An error could occur if either of the users do not have a mailbox license.

 

Migrate Calendar Events

Overview

The offboarded user’s primary calendar, as well as any calendars that they have created, are transferred to the specified user. 

The primary calendar is cloned and created in the target user’s calendar with the naming format specified in the workflow. 

The secondary calendars are cloned in the same way as the primary, but their name is the same as the existing calendar with the offboarded user’s original email address appended to it. 

Any recurring events are not linked to the original, they are just copies of the meetings in the offboarded user’s original calendar.

 

Expected Outcome

The calendars have been migrated to the specified user’s calendar. The primary calendar will have a name matching the one specified in the workflow step and any secondary calendars will have the same name but with the offboarded user’s original email address appended.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.

 

Transfer Ownership of Groups

Overview

The ownership of any groups that the offboarded user is the owner of are transferred to the specified user. The new owner can be specified in the workflow step.

Any existing members or admins of the groups will not be changed.

 

Expected Outcome

The ownerships of the groups are transferred to the specified user and all existing access remains.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.

 

Transfer Contacts

Overview

The contacts from the offboarded user’s contacts are transferred to the specified user’s contacts with a folder name matching that of what has been configured in the workflow step.

 

Expected Outcome

A folder matching the name specified in the workflow containing the contacts from the offboarded user’s contacts.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.

 

Remove From Groups

Overview

The offboarded user is removed from any groups that they are a member of.

If the user is included in any Groups or Smart Teams that have dynamic memberships based on search queries, they could be re-added to the group depending on the query.

 

Expected Outcome

The user is removed from any groups.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.

 

Migrate Emails

Overview

The offboarded user’s emails are migrated to the specified user. 

The emails will be placed into a folder with a name specified in the workflow settings. The original folder structure of the emails will be preserved during the migration, using the newly created folder as the root. 

A query can also be used to only migrate emails matching the query. This query uses Microsoft’s EWS Advanced Query String syntax.

A tolerance level can also be entered. This will mean that if the total failure rate of the transferred emails is above the threshold then the step is marked as “Failed”. 

A target for the email migration can only have one active migration at a time. This will mean that if 5 offboarded users all have the same target they will be processed one at a time. 

If the 5 offboarded users have different targets, they will be done in parallel. 

We feedback statistics on the migration periodically into CloudM Automate that can be viewed when looking at the user’s offboarding.

If this step is added to a workflow then the “Convert to Shared Mailbox” step cannot be added.

If the step is aborted within CloudM Automate, the migration will actually continue to proceed. This will mean that if the step is aborted and then restarted, it may carry on with the existing migration since it was not stopped.

 

Expected Outcome

The emails matching the query are migrated to the specified user, under a folder having the name matching the provided template and has the same folder structure when in the offboarded user’s mailbox.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • If the target user does not have an Exchange license then the migrations will fail.

 

Unassign Licenses

Overview

Any licenses that the offboarded user has are unassigned.

We will output a list of the licenses that have been removed, some of which may be legacy licenses meaning that there will be less information about them in the CloudM Automate audit logs.

 

Expected Outcome

Any licenses are removed from the user.

 

Possible Errors

  • An error could occur if the user being offboarded has already been deleted within the source platform.
  • If the user has auto-licensing setup then we may be unable to remove the licenses that are managed in this way.

 

Suspend User

Overview

The user’s account will be suspended so that they cannot login or use any services.

 

Expected Outcome

The user is suspended and cannot login.

 

Possible Errors

An error could occur if the user being offboarded has already been deleted within the source platform.

 

Delete User

Overview

The user is deleted from the tenant, both within CloudM Automate and Microsoft.

If this step is added to the workflow then the “Convert to Shared Mailbox” step cannot be added.

 

Expected Outcome

The user is deleted.

 

Possible Errors

An error could occur if the user being offboarded has already been deleted within the source platform.

 

Was this article helpful?
0 out of 0 found this helpful