Deprov - Sleep

The account is hidden due to its deprovisioned state.

This is a default behaviour of Active Roles. 

Thanks mate. You have been really helpful. most appreciated. 

I do have another question and what your thoughts are.  

So lets say user account VA is set to true and it shows up in the managed unit at 10:55AM but the scheduled task is set to run once an hour. That only leaves 5 mins and not enough time for Azure syncs to run etc. Is there a way handling this so that it only executes on accounts that have been in the managed unit for at least 40 mins already? another VA with a time stamp maybe? I 

I have this script that I am using to stamp the account with the time it was executed.  This is being executed via the workflow.

So steps would be

Custom command run on user account which changed the VA to TRUE. 

User account ends up in the managed unit. 

I can have the work change attributes that are already set from say TRUE to FALSE but its not updating the attribute below.  Any ideas? 

function onPostModify($Request)
{
set-QADUser -Identity $Request.GUID -ObjectAttributes @{ 'Azure-Deprovision-DateTime' = Get-Date -Format HH:mm} -proxy
}

Thinking off the top of my head, there could be a different method, similar to Johnny's but utilising Sync Services also.

Customers something ask if there is a way to do some action of an onPrem user once they've been sync'd with Azure AD (via AAD Connect), one of the sure fire ways (that doesn't require scripts to wait) is after the Azure Backsync to ARS has configured the immutableID and Office365Enable flag (IE a change workflow on the user object, where if the ImmutableID is present, and the Office365Flag is true, we do something).

Ordinarily we're only looking for matching objects, and as at this point the the account still exists in Azure it would still be a matching record. If you were to sync an additional attribute from Azure back to Active Roles, into your own VA, you could have a workflow configured on change to that attribute, which would then trigger the deprovisioning of the account in full.

So the process would be something similar to the below:

1) Create a custom command which sets some AD Attribute (which AAD Connect sync's to the Azure USer Object)

2) Have a Change Workflow which triggers the when the AD Attribute is changed, where if its true, the onPrem account is disabled, if it cleared or set to false the account is enabled.

3) Let AAD connect sync to Azure

4) The Azure AD Backsync into Active Role would set a custom VA with the value sync'd from the onPrem user via AADConenct

5) Have another Change Workflow which is triggered on change to the custom VA, Within the workflow you'd have an If/Else Branch, where:

If <OnPrem AD Attribute> = True and <Custom VA> = True

Deprovision account

Else (<OnPrem AD Attribute> = False or Null) and (<Custom VA> = False or Null) and DeprovisionStatus = Deprovisioned)

Undo Deprovision the account

Clear both the OnPrem and Custom VA attribute values

JohnnyQuest 

 Hi craig mcfarlane 

Try the below

set-QADUser -Identity $Request.GUID -ObjectAttributes @{'Azure-Deprovision-DateTime'=$((Get-Date -Format HH:mm).ToString())} -proxy

Thanks mate. I will keep this solution in the back of my mind for now.

I am trying to have the work flow update an attribute with a time stamp and its driving me nuts that its not doing it

Within a workflow you could use an "Update" activity step

Add that to your workflow, which would look like this:

Open the properties of the "Change object Properties" and provide a name and description

Define the activity's target

Which if inside an Automation Workflow, would likely be "Object Found by search Activity"

Within Target Properties, click "Add Property" and select your Azure-Deprovision-DateTime attribute, the click "Define"

If you're just setting it to the current time and day, then choose "Workflow date and time", select the string format. and Use the current data and time

if you wanting to set it 45 minutes from the current time, then you'd probably need a script, which you'd reference by choosing "Value generated by rule expression"

Then you'd click "Add Entry" and select "Value generated by script"

The link the script and the function in the script to call

That script would need to return a valid value back to the workflow.

Hope that helps

Thanks mate. your suggestion has been mega helpful and its now stamping the account with the time. Slight snag though. I only want the time and in the date and time string I selected HH:mm but when I look at the attribute its date and time. The VA for the date and time is UTC. not sure if thats whats doing it.

So need to over come that and then explore this script section that you have said about