Deprov - Sleep

Guys. 

I have a need for my deprovision policy to pause for 45 minutes. Let me give you some background so that it might help. maybe you have a better way of handling this?

We have onPrem AD and we synchronise our users up to Azure AD via the Azure AD connect application. 

I have a AR dynamic group that puts a user account in to a security group. This security group is then part of a Azure license. Just as an example Dynamic GroupA gives members access to MS Teams. 

Now what I need to happen during the deprov process is that it removes the user account from all security groups which it does. I then need it to wait 45 minutes until the Azure AD connect sync runs. This will then remove Azure user from the groups and give the license back to the pool. 

After 45 mins continue with the rest of the deprov process. 

Basically if we simply deprov and disable the account and the Azure Sync runs then the account is moved in to the Azure recycle bin for 30 days with all license still assigned. I see this post but i am unable to comment if a solution was found. 

 Pause/Wait in a script during deprovision? 

Thanks in advance for any suggestions. 

Parents
  • My suggestion would be as follows:

    Break the deprovisioning into two parts:

    1) Create a VA e.g. "edsvaDeprovPart1 " that you set with your deprovision command in the GUI.

    2) Create a change workflow that reacts to the setting of this VA and performs your group membership removal.  

    The VA (can be just boolean) is also used to populate a "queue" Managed Unit that holds users waiting to be fully deprovisioned.

    3) Create an Automation workflow that runs on a schedule and scans / enumerates the above queue once per hour and actually deprovisions the users who have the above VA set.

    That will give your AADC and tenant plenty of time to do its thing.

  • Thanks mate. Thats a good suggestion. Will look in to that further.

Reply Children
No Data