Issue
When an account is suspended using Active Directory, to mitigate the risk of the account being vulnerable, OAuth tokens, 2-step verification and App specific passwords need to be revoked.
The account will temporarily be unsuspended whilst CloudM runs the migration steps and this, in turn, aborts the offboarding if an Active Directory sync is run during this time. To eliminate this, the below steps need to be completed in CloudM Automate and Active Directory.
Solution
In CloudM Automate:
- Create a new Organizational Unit.
- In each existing Offboarding workflow, add the 'Move User' offboarding step, and ensure the 'Move User' step is pointing to the Organizational Unit that was created in the first step (as the Destination OU).
- On the Offboarding Workflow for the newly created Organizational Unit, add the 'Revoke 2-Step verification', 'Revoke Application Specific Passwords' & 'Revoke OAuth Tickens' offboarding steps.
- In Workflow Settings, optionally set the 'Automatically Offboard Suspended Accounts' tick box to enabled.
In Active Directory:
- Set a rule to exclude synchronizing certain Organizational Units. In this case, you will exclude the Organizational Unit that you created in the steps above. Find more information on how to do this here.
When Active Directory then runs it's automatic syncs, it will leave any accounts within this Organizational Unit as active, allowing CloudM to successfully run all offboarding steps before suspending the account.