Office 365 – Exchange Online Deprovisioning aspects

With the proliferation of Office 365, usage of the platform is on the rise and so is its administration. The Exchange Server infrastructure, the most critical business workload in the IT setup has already been migrated to Exchange Online in Office 365 by large number of enterprises. Due to this, its administration in the Office 365 tenants is on the upswing. IT admins’ query about the equivalents of legacy Exchange processes (recipient object creation, policies) has increased.

In the context of Exchange Online administration, the list of tasks is extensive. Starting from mailbox creation, creating policies (defining quota limits), assigning policies to deleting the mailbox, the list is quite a few. This list includes Configuring user and admin roles, Mail flow rules, malware and spam filters, administering public folders. Of these, the first and foremost is onboarding (provisioning) and offboarding (deprovisioning) mailboxes aka users.

Organizations might have certain policy for day-to-day operations and for provisioning and deprovisioning users. Companies would want to streamline their onboarding and offboarding processes to make it efficient in terms of license cost and for better compliance. This will also be more suited for audit purposes in the future. In addition, automation will also be the key requirement to make it process centric and achieve the objectives without any errors on continuous refinement.

Why streamline provisioning and deprovisioning?

Streamline o365 provisioning and deprovisioning

Having said this, I would like to focus on some of the common/broad scenarios of offboarding (deprovisioning) mailboxes alone.

Deprovisioning Scenarios

Companies would encounter various deprovisioning scenarios as illustrated below. The frequency of the deprovisioning is directly proportional to the occurrence of the listed scenarios. It might also add to the complexity based on the mailbox volume involved.

  • Employee leaves the organization – You can completely remove the user object and the associated license to claim it and assign it to another user. This case will occur more often if attrition rate is high.
  • Mailbox for a certain period – Consider a use case, where a consultant is hired for a project implementation. In this case, you have to assign Exchange Online license for him/her temporarily for a shorter period. Upon completion of the project, you will have to revoke the assigned license and make it available to the license pool.
  • Change in employee’s job responsibility, department rather – Though it is a rare case, some of the users might be demoted say, from technical to non-technical role. You can remove the license used by him/her, so that it can be freed up to assign to other user.

In all the three cases, removal of Exchange Online license is the key. With the possible offboarding cases, we will move on to the next agenda in this post.

Factors that decide the deprovisioning actions:

  • Nature of environment (Standalone, Hybrid)
  • Data retention (No retention, Default retention, Long time retention for legal purpose)

Nature of environment (Standalone, Hybrid)

The Office 365 setup allows different types of authentication to access its services. It allows the user sign in to take place from Office 365 alone or in combination with on premises AD. This entails variety of actions that has to be performed for users in on premises AD/Office 365.

Office 365 signin options

Image Reference

In case of standalone Office 365 environment, all activities are performed directly in Office 365 itself. Therefore, apart from provisioning and modification of various settings, deprovisioning is also done completely in Office 365.

As for Office 365 Hybrid environment (Federated with on premise setup), some of the actions are performed in on premise Active Directory and some are done at Office 365. The actions performed in various entities include:

Actions based on environment

on-premise and office 365 based actions

Consider certain special case, where the user is deleted in on premise Active Directory, but the native Azure AD Synchronization tool did not delete the equivalent cloud object thereby leaving the Office 365 object orphaned. In this case, Office 365 admins have to look out for such objects and delete them manually. You can find the detailed information in this Microsoft support article.

This type of exceptional cases also come under the purview of Office 365 actions.

Some organizations would use third party applications to onboard/offboard users and groups in on premises Active Directory. When such companies migrate to Office 365, they would require those applications to have seamless integration with Office 365. Moreover, additional learning for admins as part of migration might be required. This adds complexity to the whole process.

Thus in Office 365 Hybrid environment, deprovisioning will be a combination of actions in on premise AD and Office 365.

Data retention (No retention, Default retention, Long time retention for legal purpose)

Communication is the primary purpose of the mailbox and so vital is the transpired data. Hence, obviously, retention of data forms the key factor in deprovisioning. Organizations might have to either retain user data or forgo it.

If the company wants to retain data, they will have to devise suitable data retention policies and place mailbox in place or litigation hold. Otherwise, they can delete the mailbox data or wipe of the date form mobile device during deprovisioning.

Process that is followed as deprovisioning actions:

How does the organization want to take action whenever deprovisioning need arises? It depends on the various standards followed as per the company policies. Broadly, we can classify the actions under the following categories:

Disable the account temporarily

  • Block the sign-in, before committing to a course of action

Substitute the user by a different user with appropriate actions *

  • Retain old user data – put litigation on hold or custom retention policy
  • Do not retain old user data – delete after the default or custom retention period

Remove the user with appropriate actions *

  • Retain old user data – put litigation on hold or custom retention policy
  • Do not retain old user data – delete after the default or custom retention period

* For data retention, companies should have policy (like, In-Place Hold or Litigation Hold) in place.

As a normal practice, when an employee leaves the organization, most of the organizations (SMEs) would just want to block the sign-in as a first step (knee-jerk reaction). If the company has well laid out policy for dealing with the quits, then those policies will come into picture either manually or automatically. In case of SMEs, the process would be relatively simple.

Even if the company has plain vanilla policy of removing the user from its Office 365 tenant, certain clean-up tasks have to be performed before admin deletes the user. Though admin can request the users to perform some clean-up actions (like, delete their personal data before they leave the organization), it is more safe to set this up as part of policy in deprovisioning. The clean-up actions ultimately translates to the responsibilities that he is doing as part of his/her work, digressed as below:

  • Department that the user belongs
  • Groups he/she is member of
  • Admin roles (like Global admins, User management admins) that he/she has
  • Office 365 cloud services (SharePoint Online, Skype for Business Online, Microsoft Teams, PowerApps for Office 365) that he/she uses

Deprovisioning Cases

Based on the broad approaches explained in deprovisioning process, we envisage the process to be grouped into three different cases, as depicted below:

Deprovisioning cases

In Delete Mailbox case, admin can delete the mailbox permanently or delete and allow it to follow the course of action.

In case of Replace Mailbox, organization would substitute an existing employee or a new employee details, so that the leaving employee content, associated roles and access can be retained intact.

The other case is to convert the existing mailbox to a shared mailbox. This will serve as common repository for anyone to get access to the content. Users with relevant permissions can reply to the mails henceforth. The only caveat attached to shared mailbox is that Exchange Online license is required if the size of the shared mailbox exceeds 50GB or In-Place Archive or put an In-Place Hold or a Litigation Hold is enabled on it.

Delete mailbox cases

Delete office 365 mailbox cases

Staged deletion (hybrid) – explained…

staged deletion hybrid

We have put forth our explanation about various sub cases (similar to Exchange Online migration) in Delete Mailbox case.

In Cutover deletion (immediate), admin would delete the user mailboxes and their data permanently (hard delete). This would even forgo the default 30-day retention period. Though this case is rare, it is often performed on non-critical mailboxes.

In case of Cutover deletion (delayed), admin would delete the user mailboxes temporarily (soft delete). The data deletion process will then undergo after the default 30-day retention period. This case is more common and is followed in combination with the company’s retention and litigation policies.

The staged deletion is a combination of a few basic Online steps and cutover deletion (delayed). It starts as simple as blocking the sign in and terminating the open user sessions in Office 365. It will then proceed with the sequence of steps followed in Cutover deletion (delayed).

Common deprovisioning actions

As part of deprovisioning, there are series of actions that have to be performed on a mailbox. These common actions are categorized under different sections as listed below:

Common deprovisioning actions

Actions based on individual deprovisioning case:

Depending on the deprovisioning case, actions can be grouped and saved as a template.

Delete mailbox actions based on individual deprovisioning

Replace mailbox actions based on individual deprovisioning

Convert mailbox actions based on individual deprovisioning

Deprovisioning practices guesstimate

Conclusion

Hope organizations moving from Exchange on premises to Office 365 will be able to correlate this article with their environment. The De-provision Users feature in Vyapin Office 365 Management Suite provides almost all of the de-provisioning actions an organization’s IT department typically requires to manage their Exchange users.