About User Account Permanent Deletion
User Account Permanent Deletion policies automate the deletion of deprovisioned user accounts. Deprovisioned user accounts are retained for a specified amount of time before being permanently deleted. However, you can also configure the policy to only deprovision the user account, instead of deleting it after deprovisioning.
When processing a request to deprovision a user, Active Roles uses this policy to determine whether to schedule the deprovisioned user account for deletion. When scheduled for deletion, a user account is permanently deleted after a certain time period, referred to as a retention period.
A policy configured to delete user accounts specifies the number of days to retain deprovisioned user accounts. With such a policy, Active Roles permanently deletes a user account after the specified number of days has passed since the user was deprovisioned.
A policy can be configured not to delete user accounts. When applied at a certain level of the directory hierarchy, such a policy overrides any other policy of this category applied at a higher level of the directory hierarchy.
Let us consider an example to clarify this behavior. Suppose you configure a policy to delete accounts and apply that policy to a certain container. In general, the policy is passed down from parent to child containers, that is, the policy applies to all child containers beneath the parent container, causing Active Roles to delete deprovisioned user accounts in each container. However, if you configure a different policy not to delete accounts and apply that new policy to a child container, the child container policy overrides the policy inherited from the parent container. Active Roles does not delete deprovisioned user accounts in that child container or any container beneath that child container.
One more option of this policy is intended for domains where Active Directory Recycle Bin is enabled. The policy can be configured so that once a user account is deprovisioned, the account is moved to Recycle Bin (which effectively means that the account will be deleted immediately, without any retention period). Moving deprovisioned user accounts to the Recycle Bin may be required for security reasons, as an extra security precaution. The Active Directory Recycle Bin ensures that the account can be restored, if necessary, without any loss of data. Active Roles provides the ability to un-delete and then un-deprovision user accounts that were deprovisioned to the Recycle Bin.
For more information on configuring this Policy Object, see Configuring a User Account Permanent Deletion policy in the Active Roles Administration Guide.
About Office 365 Licenses Retention
Office 365 Licenses Retention policies automate the retention of all (or the selected) Microsoft 365 licenses assigned to an Azure AD user after successfully deprovisioning the Azure AD user.
When processing a request to deprovision an Azure AD user, Active Roles uses this policy to determine if the licenses assigned to the Azure AD user must be retained.
When an Azure AD User is deprovisioned, this policy ensures that the administrator-assigned Microsoft 365 licenses are retained based on the policy configuration.
You can configure the Office 365 Licenses Retention policy to specify how you want Active Roles to modify the Azure AD user’s licenses in Azure AD upon a request to deprovision the Azure AD user.
When an Azure user is deprovisioned from the Active Roles Console, Web Interface, or Management Shell, the Microsoft 365 licenses that were assigned to the user during user provisioning are retained based on the Office 365 Licenses Retention policy configuration. As per the policy set, all the licenses or only selected licenses are retained upon the user deprovision.
The changes that take effect after deprovisioning the user are reflected in the Azure portal and the Azure Properties > Licenses tab of the Azure AD user in the Web Interface.
Active Roles Console enables you to create a new Deprovisioning Policy Object or add to the existing Built-in Policy – User Default Deprovisioning policy. The Office 365 Licenses Retention policy from the User Deprovisioning Policies must be selected to enable retention of the required Microsoft 365 licenses upon Azure AD user deprovisioning.
NOTE: The Office 365 Licenses Retention policy is enabled only if Azure AD is configured.
For more information on configuring this Policy Object, see Configuring a Microsoft 365 license retention policy in the Active Roles Administration Guide.
About Group Object Deprovisioning
Group Object Deprovisioning policies specify the changes within an organization that make group objects in Active Directory deprovisioned, preventing their use. When initiated, this policy deprovisions the affected group(s) by:
-
Hiding the group(s) in the Global Address List (GAL) to prevent access to the group from Exchange Server client applications, such as Microsoft Outlook.
-
Changing the type of the group(s) from Security to Distribution to revoke access rights from the group.
-
Renaming the group(s) to clearly differentiate them from non-deprovisioned groups.
-
Removing members from the group(s) to revoke user access to resources controlled by the group(s). However, you can also specify members who will not be removed from the group(s).
In addition, you can also configure the policy to change or clear any properties of a group, such as its pre-Windows 2000 name, email address(es), or description.
When processing a request to deprovision a group, Active Roles uses this policy to modify the group object in Active Directory, so that once the group has been deprovisioned, it cannot be used.
A policy can also be configured to update individual properties of groups. Depending on the policy configuration, each policy-based update results in the following:
-
Certain portions of group information, such as information about group members, are removed from the directory.
-
Certain properties of groups are changed or cleared.
A policy can be configured so that new property values include:
-
Properties of the group being deprovisioned, retrieved from the directory prior to starting the process of the group deprovisioning.
-
Properties of the user who originated the deprovisioning request.
-
Date and time when the group was deprovisioned.
Thus, when deprovisioning a group, Active Roles modifies the group object in Active Directory as determined by the Group Object Deprovisioning policy that is in effect.
For more information on configuring this Policy Object, see Configuring a Group Object Deprovisioning policy in the Active Roles Administration Guide.
About Group Object Relocation
Group Object Relocation policies automate the movement of deprovisioned group objects to specified Organizational Units. This removes deprovisioned groups from the control of administrators who are responsible for managing the Organizational Units in which those groups were originally located. However, you can also configure this policy not to move deprovisioned groups.
When processing a request to deprovision a group, Active Roles uses this policy to determine whether to move the deprovisioned group object to a different Organizational Unit.
A policy configured to move group objects also specifies the destination Organizational Unit to which Active Roles moves deprovisioned group objects.
A policy can be configured not to move group objects. When applied at a certain level of the directory hierarchy, such a policy overrides any other policy of this category applied at a higher level of the directory hierarchy.
For more information on configuring this Policy Object, see Configuring a Group Object Relocation policy in the Active Roles Administration Guide.
