Deprov - Sleep

My suggestion would be as follows:

Break the deprovisioning into two parts:

1) Create a VA e.g. "edsvaDeprovPart1 " that you set with your deprovision command in the GUI.

2) Create a change workflow that reacts to the setting of this VA and performs your group membership removal.  

The VA (can be just boolean) is also used to populate a "queue" Managed Unit that holds users waiting to be fully deprovisioned.

3) Create an Automation workflow that runs on a schedule and scans / enumerates the above queue once per hour and actually deprovisions the users who have the above VA set.

That will give your AADC and tenant plenty of time to do its thing.

Can you just expand a bit on point 1. I am fine with the creation of a Virtual attribute part. If you could just expand on this part a bit for me so that i follow 100% "that you set with your deprovision command in the GUI."

1) Create a VA e.g. "edsvaDeprovPart1 " that you set with your deprovision command in the GUI.

Thanks mate. Yes never needed to create a custom command yet so just a bit hazy on that part. 

Hi mate. Sorry just want to clarify something so I am not barking up the wrong tree. 

Step 1 and 2 from your suggestion is done. I am looking at step 3. Again I have never setup Deprov through an automation task. When i drag the deprov step in to the configuration and open it. I am not seeing similar steps as to what i would have in a deprovision policy. Is there away of calling a policy i already have set? Sorry if i am missing something 

The deprov activity in the workflow will just initiate whatever steps are built into the deprovisioning policy linked to the OU where the user lives.  Does that make sense?

Ok yes I think I understand. So if i have a deprov policy and its linked to the OU where the user is being deprov from then it will execute it. What throwing me is the deprov config on the workflow is asking me to define an activity and i am not 100% sure what it wants from me here. 

It needs to know where to get the objects to be acted upon.

Therefore, you have to put a Search Activity in your workflow to enumerate the contents of the "deprovisioning queue".   You would configure the Managed Unit I talked about as the container to be searched.

Then, you drop your deprovision Activity inside the workspace of the Search.

You will then be able to configure your target as "Object found by search activity"

Thanks mate. I really appreciate your help and you learn something new everyday. This is now working. I do have a small question. 

So as said this is all working. Just as a test right now I have

The three steps that you suggested +

Deprov policy that all it does is disable the account

When the deprov work flow runs it is indeed disabling the account as I want. But the account is then removed from the managed unit altogether. The account is still in the original OU disabled. What i am confused about is the account still has the value of TRUE set for the VA which puts them in the managed unit in the first place. I have nothing set on that managed unit to say only show me enabled accounts. 

Any ideas or is this just they way it works when the account is disabled in a managed unit? 

The account is hidden due to its deprovisioned state.

This is a default behaviour of Active Roles. 

Thanks mate. You have been really helpful. most appreciated. 

I do have another question and what your thoughts are.  

So lets say user account VA is set to true and it shows up in the managed unit at 10:55AM but the scheduled task is set to run once an hour. That only leaves 5 mins and not enough time for Azure syncs to run etc. Is there a way handling this so that it only executes on accounts that have been in the managed unit for at least 40 mins already? another VA with a time stamp maybe? I 

I do have another question and what your thoughts are.  

So lets say user account VA is set to true and it shows up in the managed unit at 10:55AM but the scheduled task is set to run once an hour. That only leaves 5 mins and not enough time for Azure syncs to run etc. Is there a way handling this so that it only executes on accounts that have been in the managed unit for at least 40 mins already? another VA with a time stamp maybe? I 

I have this script that I am using to stamp the account with the time it was executed.  This is being executed via the workflow.

So steps would be

Custom command run on user account which changed the VA to TRUE. 

User account ends up in the managed unit. 

I can have the work change attributes that are already set from say TRUE to FALSE but its not updating the attribute below.  Any ideas? 

function onPostModify($Request)
{
set-QADUser -Identity $Request.GUID -ObjectAttributes @{ 'Azure-Deprovision-DateTime' = Get-Date -Format HH:mm} -proxy
}

 Hi craig mcfarlane 

Try the below

set-QADUser -Identity $Request.GUID -ObjectAttributes @{'Azure-Deprovision-DateTime'=$((Get-Date -Format HH:mm).ToString())} -proxy