Deprov - Sleep


I have a need for my deprovision policy to pause for 45 minutes. Let me give you some background so that it might help. maybe you have a better way of handling this?

We have onPrem AD and we synchronise our users up to Azure AD via the Azure AD connect application. 

I have a AR dynamic group that puts a user account in to a security group. This security group is then part of a Azure license. Just as an example Dynamic GroupA gives members access to MS Teams. 

Now what I need to happen during the deprov process is that it removes the user account from all security groups which it does. I then need it to wait 45 minutes until the Azure AD connect sync runs. This will then remove Azure user from the groups and give the license back to the pool. 

After 45 mins continue with the rest of the deprov process. 

Basically if we simply deprov and disable the account and the Azure Sync runs then the account is moved in to the Azure recycle bin for 30 days with all license still assigned. I see this post but i am unable to comment if a solution was found. 

 Pause/Wait in a script during deprovision? 

Thanks in advance for any suggestions. 

  • My suggestion would be as follows:

    Break the deprovisioning into two parts:

    1) Create a VA e.g. "edsvaDeprovPart1 " that you set with your deprovision command in the GUI.

    2) Create a change workflow that reacts to the setting of this VA and performs your group membership removal.  

    The VA (can be just boolean) is also used to populate a "queue" Managed Unit that holds users waiting to be fully deprovisioned.

    3) Create an Automation workflow that runs on a schedule and scans / enumerates the above queue once per hour and actually deprovisions the users who have the above VA set.

    That will give your AADC and tenant plenty of time to do its thing.

  • Thanks mate. Thats a good suggestion. Will look in to that further.

  • Can you just expand a bit on point 1. I am fine with the creation of a Virtual attribute part. If you could just expand on this part a bit for me so that i follow 100% "that you set with your deprovision command in the GUI."

    1) Create a VA e.g. "edsvaDeprovPart1 " that you set with your deprovision command in the GUI.

  • Right... so when you create new commands in the Web UI, you have several options for what that command can do: start a wizard (i.e. object creation), open a properties page or set a property.

    I am suggesting you implement a custom (deprovision?) command that stamps the VA.  

    You would associate the command with user objects so that it appears in the right command pane when you select a user.

  • Thanks mate. Yes never needed to create a custom command yet so just a bit hazy on that part. 

  • Hi mate. Sorry just want to clarify something so I am not barking up the wrong tree. 

    Step 1 and 2 from your suggestion is done. I am looking at step 3. Again I have never setup Deprov through an automation task. When i drag the deprov step in to the configuration and open it. I am not seeing similar steps as to what i would have in a deprovision policy. Is there away of calling a policy i already have set? Sorry if i am missing something 

  • The deprov activity in the workflow will just initiate whatever steps are built into the deprovisioning policy linked to the OU where the user lives.  Does that make sense?

  • Ok yes I think I understand. So if i have a deprov policy and its linked to the OU where the user is being deprov from then it will execute it. What throwing me is the deprov config on the workflow is asking me to define an activity and i am not 100% sure what it wants from me here. 

  • It needs to know where to get the objects to be acted upon.

    Therefore, you have to put a Search Activity in your workflow to enumerate the contents of the "deprovisioning queue".   You would configure the Managed Unit I talked about as the container to be searched.

    Then, you drop your deprovision Activity inside the workspace of the Search.

    You will then be able to configure your target as "Object found by search activity"

  • Thanks mate. I really appreciate your help and you learn something new everyday. This is now working. I do have a small question. 

    So as said this is all working. Just as a test right now I have

    The three steps that you suggested +

    Deprov policy that all it does is disable the account

    When the deprov work flow runs it is indeed disabling the account as I want. But the account is then removed from the managed unit altogether. The account is still in the original OU disabled. What i am confused about is the account still has the value of TRUE set for the VA which puts them in the managed unit in the first place. I have nothing set on that managed unit to say only show me enabled accounts. 

    Any ideas or is this just they way it works when the account is disabled in a managed unit?