WordPress.com



Office365 Employee Leaver PolicyDisclaimer & SummaryThis blog posts is completely my own views & provides no warranty. My blog posts are in no way affiliated with my current employer and Microsoft.This blog welcomes comments as I am sure it will be tweaked, corrected and modified as the Office365 platform evolves. The goal is to have a standard Office365 employee leavers policy that is automated and not a task that needs to be run by organisation’s IT pliance Officers or HR departments can simply add an Office365 employee leaver’s UPN into a Power Automate work flow application and press apply.I will post this document in my own bog : informationprotection.ie and to the community via Yammer CLOUD + ENTERPRISE CUSTOMERS AND PARTNERS group and lets see if we can create an operational procedure where a compliance officer or hr operator can retain former employees data with two clicks. 1: Leaver UPN, 2: ApplyMicrosoft do have an article : Remove a former employee from Office 365 but the article has a lot of steps and the purpose of this article is to automate the leaver process and retain corporate dataScenario 1Definitely the most common scenarioA user leavesThe mailbox is converted to a shared mailboxThe successor to the previous user receives full delegation rights to their predecessor’s mailboxThe former employee’s mailbox is hidden from the global address listThis then frees up the Microsoft Office365 license being consumed by the previous employee.Problems with Scenario 1Litigation hold cannot be enabled to a shared mailboxOffice365 ATP advanced features cannot be enabled on shared mailboxesPrerequisites for data retention policiesTypically, the following license SKUs provide the ability to apply data retention policies. However, there are constantly new services and Office365 SKU’s being added that may also license data retention policies. The licensing requirements to date have been Exchange Online Plan 2SharePoint Online Plan 2Office365 E3Office365 E5M365 E3M365 E5Scenario 2Scenario 2 is targeted at small business that do not have a high turnover of staff and is quite a manual process which can be done mainly via the Office 365 Security and Compliance center. I have successfully created this policy and added a user into the leavers retention policy , deleted the user’s ad account and ran multiple AD Connect syncs till I could see the user was no longer visible in Office365 admin center or Azure Active Directory users. Once I confirmed the user was completely deleted, I was able to recover email and one drive for business data for the deleted user via e-discovery, and when the user was deleted the license that was in use became available.The absolutely critical step in this process is that the user must have a valid license so that the retention policy is applied to the user’s data , once the retention policy has been applied the user can be deleted from AD or moved to an OU that is out of scope for AD connect sync.The scope for scenario 2 will be for Exchange Mailboxes and OneDrive for Business profiles, One Drive for Business profiles require the exact URL, the following steps outline how the OneDrive for Business URL can be retrieved.Note: If an organisation has Azure Active Directory Premium Plan 2 , Just in time access should be enabled for the roles required to create and edit data retention policies.Steps listed belowConnect to all Office365 services using Michel de Rooij’s script which can be downloaded HERE2121165-9775000Create a retention policyThe choice to delete data after 7 years varies per organisation and industryExtract ODFB URLs$Credentials = get-credential Connect-SPOService -Url -Credential $CredentialsGet-SPOSite -IncludePersonalSite $true -limit all | where{$_.url -like “*/personal/*”} | export-csv CSV FILE PATHExchange mail: select the leaver by clicking on the choose recipients hyperlink and searching for the userOne Drive Account : Select choose accounts and paste in the url of the ODFB account that was previously extracted via Sharepoint Management Shell.Create the ruleWait 24 hours to either delete the account from AD or move the account to the disabled OURun this command : Get-MsolUser -all -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin –Force Test the retrieval of the former employee’s data via Office365 eDiscoveryScenario 3Scenario 3 can be used in the unfortunate circumstances where a lot of employees in an organisation have been made redundant or a business is closing down.The main difference from Scenario 2 and 3 is that scenario 3 will add former employees to the leavers policy in bulk.Connect to all Office365 services using Michel de Rooij’s script which can be downloaded HEREImport-csv "CSV PATH" |%{Set-Mailbox $_.mail -LitigationHoldEnabled $false} -confirm false$import-csv "CSV PATH" | % {Set-Mailbox -RetentionPolicy "Leaver Policy"}Get-RetentionCompliancePolicy $policy = 'Leaver Policy'$new = import-csv sitestoadd.csv$newlocations = $new.OD4BSiteSet-RetentionCompliancePolicy -Identity $policy -AddOneDriveLocation $newlocationsWait 24 hours to either delete the account from AD or move the account to the disabled OURun this command : Get-MsolUser -all -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin –Force Test the retrieval of the former employee’s data via Office365 eDiscoveryScenario 4My colleague Zdenko Zahorec is the Evros Power Automate lead.A Microsoft power automate runbook that only needs the user name and then to click apply in the Microsoft power automate application from a HR , Admin or management staff member.Scenario 4 assumes the leavers retention policy has already been created.Scenario 4 may complement Scenario 2 more than 3. If HR or Admin staff input the user name of the former staff member and click apply the following tasks are a typical power automate run book that is completely automated and only requires two actions, user name and apply.Connect to all Office365 services using Michel de Rooij’s script which can be downloaded HERESet-Mailbox -LitigationHoldEnabled $false} -confirm false$Set-Mailbox -RetentionPolicy "Leaver Policy"}Get-RetentionCompliancePolicy $policy = 'Leaver Policy'$new = ‘Leaver email address’ $newlocations = $new.OD4BSiteSet-RetentionCompliancePolicy -Identity $policy -AddOneDriveLocation $newlocationsInstall an azure automation agent on a domain controller or member server Power Automate will communicate with the Azure automation server to perform this task: Wait 24 hours to either delete the account from AD or move the account to the disabled OURun this command : Get-MsolUser -all -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin –Force Send an email to IT when the Power Automate workflow has complete.Test the retrieval of the former employee’s data via Office365 eDiscovery (Manual task for IT)If you want any of these scenarios to become operational in your organisation, talk to us ? ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download