Chat now with support
Chat with Support

Active Roles 8.1.4 - Administration Guide

Introduction Getting started with Active Roles Configuring rule-based administrative views Configuring role-based administration Rule-based autoprovisioning and deprovisioning
Provisioning Policy Objects Deprovisioning Policy Objects How Policy Objects work Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning Exchange Mailbox AutoProvisioning AutoProvisioning in SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Microsoft 365 and Azure Tenant Selection E-mail Alias Generation User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Using rule-based and role-based tools for granular administration Workflows
Key workflow features and definitions About workflow processes Workflow processing overview Workflow activities overview Configuring a workflow
Creating a workflow definition for a workflow Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Approval workflow Email-based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic groups Active Roles Reporting Management History Entitlement profile Recycle Bin AD LDS data management One Identity Starling Join and configuration through Active Roles Managing One Identity Starling Connect Configuring linked mailboxes with Exchange Resource Forest Management Configuring remote mailboxes for on-premises users Migrating Active Roles configuration with the Configuration Transfer Wizard Managing Skype for Business Server with Active Roles
About Skype for Business Server User Management Active Directory topologies supported by Skype for Business Server User Management User Management policy for Skype for Business Server User Management Master Account Management policy for Skype for Business Server User Management Access Templates for Skype for Business Server Configuring the Skype for Business Server User Management feature Managing Skype for Business Server users
Exchanging provisioning information with Active Roles SPML Provider Monitoring Active Roles with Management Pack for SCOM Configuring Active Roles for AWS Managed Microsoft AD Azure AD, Microsoft 365, and Exchange Online Management
Configuring Active Roles to manage Hybrid AD objects Unified provisioning policy for Azure M365 Tenant Selection, Microsoft 365 License Selection, Microsoft 365 Roles Selection, and OneDrive provisioning Changes to Active Roles policies for cloud-only Azure objects
Managing the configuration of Active Roles
Connecting to the Administration Service Managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the Console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server replication Using regular expressions Administrative Template Configuring federated authentication Communication ports Active Roles and supported Azure environments Integrating Active Roles with other products and services Active Roles Language Pack Active Roles Diagnostic Tools Active Roles Add-on Manager

How the Microsoft 365 Licenses Retention policy works

When processing a request to deprovision an Azure AD user, Active Roles uses this policy to determine if the licenses assigned to the Azure AD user must be retained.

When an Azure AD User is deprovisioned, this policy ensures that the administrator-assigned Microsoft 365 licenses are retained based on the policy configuration.

You can configure the Office 365 Licenses Retention policy to specify how you want Active Roles to modify the Azure AD user’s licenses in Azure AD upon a request to deprovision the Azure AD user.

When an Azure user is deprovisioned from the Active Roles Console, Web Interface, or Management Shell, the Microsoft 365 licenses that were assigned to the user during user provisioning are retained based on the Office 365 Licenses Retention policy configuration. As per the policy set, all the licenses or only selected licenses are retained upon the user deprovision.

The changes that take effect after deprovisioning the user are reflected in the Azure portal and the Azure Properties > Licenses tab of the Azure AD user in the Web Interface.

Active Roles Console enables you to create a new Deprovisioning Policy Object or add to the existing Built-in Policy – User Default Deprovisioning policy. For instructions on how to create a Deprovisioning Policy Object, see Creating a Policy Object. The Office 365 Licenses Retention policy from the User Deprovisioning Policies must be selected to enable retention of the required Microsoft 365 licenses upon Azure AD user deprovisioning.

NOTE: The Office 365 Licenses Retention policy is enabled only if Azure AD is configured.

Configuring a Microsoft 365 license retention policy

You can configure a new Microsoft 365 license retention policy with the Office 365 License Retention policy type in the Active Roles Console.

To configure an Microsoft 365 license retention policy

  1. On the Policy to Configure page, select Office 365 License Retention, then click Next.

    Figure 64: Office 365 Licenses Retention page

  2. On the Office 365 Licenses Retention page, select the options you want the policy to apply when deprovisioning the Azure AD user.

    • Select the tenant from which the licenses have to be retained for the user from the drop-down list.

    • Select the check box corresponding to Retain all the licenses option to enable the deprovisioned Azure AD user to retain all the Microsoft 365 licenses after successful deprovisioning.

    • Select the check boxes corresponding to the specific Microsoft 365 subscription plans and licenses that the deprovisioned Azure AD must retain after successful deprovisioning.

  3. Click Next.

    The Enforce Policy page is displayed, which enables you to specify objects to which this Policy Object is to be applied.

  4. Click Add, and use the Select Objects dialog to locate and select the objects on which you want to enforce the policy.

  5. Click Next, then click Finish.

NOTE: Consider the following when configuring an Microsoft 365 licenses retention policy:

  • After performing an Undo Provisioning operation on the deprovisioned Azure AD user, the original licenses assignment made to the user at the time of user provisioning is restored to the user.

  • In Active Roles with Office365 Licenses Rention policy applied, when a deprovisioned Azure AD user tries to set licenses, a policy violation error is displayed.

  • For more information on deprovisioning Policy Objects and creating new deprovisioning policies see Deprovisioning Policy Objects and Creating a Policy Object.

Report on deprovisioning results

The Deprovisioning Results window displays the deprovision operation results pertaining to the Office 365 Licenses Retention policy. The results display a report of the success or failure of the policy.

Table 11: Office 365 License Retention policy

Report item (success)

Report item (failure)

In accordance with the policy, the Azure AD user's Office 365 licenses are retained.

Not applicable

Azure User Office 365 licenses are retained.

Not applicable

Group Membership Removal

Policies in this category are intended to automate the removal of deprovisioned user accounts from groups. A policy can be configured to remove user accounts from all groups with optional exceptions. Individual policy rules can be applied to security groups and to mail-enabled groups of both the security and distribution type.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating