i1rba (i1rba) asked a question.
Hello. When we had AD as a master, we were used to remove some attributes from AD before disabling the user and OKTA deprovisioning from O365: in this way the user was out from dynamic DLs and groups before being deprovisioned. Now we switched to HR as a master and I need to find another way to do that, because I cannot anymore delete attributes from the HR mastered profile before disabiling it. I tried something with Okta workflows, but it's useless: if I make the user mastered by OKTA , at that point I can manipulate the profile but then the capabilities of OKTA to automate the user deactivation based on his end date (plus a post-termination delay) will not work anymore, since it would have worked only if the user was HR mastered. Do someone have any other idea? Otherwise I need to understand if it's somehow possible to "unlink" the O365 user from the master, since I see all my old users as "synced with AD" (that is not true, they are synced with OKTA) and I cannot change anything in their profile neither after they are deprovisioned from O365.
To my knowledge and multiple conversations with Okta support, there is no way to "break" the relationship between the user in Okta and O365 user unless the user is removed. If you want to break the relationship, this would have to be a tenant wide thing. let me know if this helps.
Hi Jeff, thanks for your contribution. When you say "unless the user is removed" you mean from where? Removed from OKTA?
From O365 - the issues stems from Okta not 'releasing' the user as a synced user. As great as Okta is for O365 provisioning, it does lack some features found in AADC. This is probably my biggest complaint with the Okta/O365 integration. What are you using for HRIS?
... but you cannot remove the user from O365 since it's synced with "on premise" (that for us is OKTA), right?
I am using Successfactors as HRIS.
You can remove the user via running the remove-msoluser command in PS.
Remove-MsolUser -UserPrincipalName account@domain.com
Remove-MsolUser -UserPrincipalName account@domain.com -RemoveFromRecycleBin
Keep in mind this will destroy the O365 user account.
You're right. The fact is... I inherited this kind of setup and they were used not to delete the O365 account nor the OKTA account nor the AD account (when AD was the master) so I'm trying the best way to manage this process... the user in O365 was still there, synced with on-premise and unlicensed, and the mailbox was converted to shared before doing that. One thing that happened here more than one time was people coming back: they had their mailbox as "shared", they got their AD account activated back, pushed to OKTA and then matched with the user in O365 and the mailbox linked back with some powershell commands. Pretty simple, now with HRIS it's a bit more complicated...
also they ask me to put OOO messages for a long period, so I can't actually delete the O365 account...
Here is what out off-board looks like:
* Disable the AD account
* Convert the user mailbox to a shared mailbox
* Set OoO on the mailbox
* Deactivate the Okta account
* Remove the O365 account
This is from a high level...