Active Roles Community

Forum Disable Azure User through Microsoft Graph Powershell

State Suggested Answer
Replies 9 replies
Answers 1 answer
Subscribers 68 subscribers
Views 6768 views
Users 0 members are here

Options

Related

Disable Azure User through Microsoft Graph Powershell

sander.martijn over 2 years ago

Hi,

I am looking for a method to disable an Azure cloud account when a change to an on-premises user happens.

What I am thinking about is:

The on-premises AD user has the cloud UPN filled in on extensionAttribute1 (John.Doe@company.onmicrosoft.com)
When the on-premises user is disabled, a workflow should check the value of extensionAttribute1 and execute a Powershell script to disable the user in the Cloud.

I am not using Azure AD connect to sync users between on-premises and the cloud and the 2 identities are completely separate from each other.

Any suggestions?

Thanks.

Parents

0 JohnnyQuest over 2 years ago

Assuming you have your tenant configured / connected in Active Roles and all objects matched up with their Cloud equivalents, you don't have to resort to Graph for this.

Rather, you can just set the attribute edsaAzureUserAccountEnabled to FALSE and this will disable the Cloud object for you.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 sander.martijn over 2 years ago in reply to JohnnyQuest

So my on-premises user (testuser@ad.local) has an extensionattribute1 (value: John.Doe@company@onmicrosoft.com) filled in. What I want is that during the deprovisioning of the account "testuser@ad.local) the cloud only account "John.Doe@company.onmicrosoft.com" gets disabled.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 JohnnyQuest over 2 years ago in reply to sander.martijn

You need to make a Change Workflow that is configured with an OnDeprovision start condition, and contains an Update Activity that sets the edsaAzureUserAccountEnabled property of your testuser@ad.local (identified as the Workflow Target) to FALSE.

Assumption: You have Active Roles admin service setup to communicate with your Office 365 tenant.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 JohnnyQuest over 2 years ago in reply to sander.martijn

You need to make a Change Workflow that is configured with an OnDeprovision start condition, and contains an Update Activity that sets the edsaAzureUserAccountEnabled property of your testuser@ad.local (identified as the Workflow Target) to FALSE.

Assumption: You have Active Roles admin service setup to communicate with your Office 365 tenant.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

0 JohnnyQuest over 2 years ago in reply to JohnnyQuest

Second assumption: Your testuser@ad.local user's edsvaAzureObjectId contains the GUID of your Office 365 object John.Doe@company.onmicrosoft.com
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 sander.martijn over 2 years ago in reply to JohnnyQuest

Hi,

Just to be sure but do you mean the Synchronization Service or Azure AD Configuration settings in the Configuration Center?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 JohnnyQuest over 2 years ago in reply to sander.martijn

Azure AD Configuration settings in the Configuration Center
Cancel
Up 0 Down

Reply

Verify Answer

Cancel