Content:
Overview
Cayosoft Suspend allows administrators to temporarily or permanently suspend Active Directory (AD) users or groups, ensuring efficient management and preventing costly security and compliance violations. Starting from Cayosoft Administrator version 10.3, this feature is integrated into the Cayosoft Administrator Console under the new Suspend Configurations node.
Administrators can configure suspension settings for various object types, with dedicated suspension configurations for each type, ensuring tailored and precise control over user and group management. Once suspend configuration is available for the following object types:
- AD User
- AD Group
- AD Computer (New)
- Microsoft 365 User
Note: There is no direct upgrade procedure for switching to the new Suspend functionality. This means you must manually recreate your existing legacy Suspend rules and configurations. Previously suspended users can still be unsuspended, but you can no longer suspend users using the legacy methods.
In order to switch over to modern Suspend, you need to set the Use modern suspend setting to Yes in the Administrator Console > Active Directory extension.
For Suspend upgrade details, please see this article: How suspend functionality works after the upgrade.
Configuring default Suspend configurations
Follow the steps below to configure predefined Suspend rules provided by Cayosoft experts:
- In the Administrator Console, navigate to Home > Rules > Suspend Configuration.
- Locate the rule you want to configure. For example, AD computer Suspend (default configuration).
- Edit the rule based on the guidelines provided in the following article: AD Computers | Suspend rule.
- Save your edits.
Available default Suspend configurations
Each Suspend Configuration has a number of settings that are split into sections and should be customized based on your requirements. Here is the list of Suspend Configurations with links to corresponding documentation articles:
- AD User Suspend
- AD User Undo Suspend
- AD User Terminate
- AD Group Suspend
- AD Computer Suspend (New)
- Microsoft 365 User Suspend
- Microsoft 365 User Undo Suspend.
For the full list of the new suspend automation rules, refer to the following article: New Automation Rules.
Creating a custom Suspend configuration
To create a custom Suspend Configuration, do the following:
- In the Administrator Console, navigate to Rules > Suspend Configurations.
- Select any rule and click +New under Actions.
- In the New Rule dialog, select a template.
- Click Show all templates to review all predefined suspend templates.
- Click Next to continue.
- On the Rule Output step, configure conditions for the rule output.
- In the last step, provide a name and description for a new rule, and specify labels.
- Click Finish to save your changes.
Running a modern Suspend configuration
Each Suspend rule and Web Action can select a specific Suspend Configuration for AD and M365 objects during execution. You can create various Suspend scenarios by applying different configurations to different rules.
To run default Suspend configurations, do the following:
- In the Administrator Console navigate to Home > Configuration > Connected Systems Extensions > Active Directory.
- In the Configure Active Directory dialog, expand the Cayosoft Suspend Default Configurations.
All default automation rules and Web Actions refer to this global setting. - Complete the following fields:
- Use Modern Suspend Rules and Configurations: Select Yes.
- Default AD users Suspend configuration: A preconfigured set of settings that determines how Active Directory (AD) user accounts are handled when they are suspended.
- Default AD users Undo Suspend configuration: A preconfigured set of actions that determines how Active Directory (AD) user accounts are restored to their active state after being suspended.
- Default AD group Suspend configuration: A preconfigured set of actions that determines how Active Directory (AD) groups are handled when they are suspended.
- Default AD computer Suspend configuration: A preconfigured set of actions that determines how Active Directory (AD) computer accounts are handled when they are suspended.
Instead of modifying the global Suspend configuration, you can customize the configuration at these levels:
-
- Virtual Admin Unit
- Web Query
- Individual Web Actions
- Individual Suspend automation rules
Example for AD Users virtual admin unit - AD User Suspend configuration
- In the Administrator Console navigate to Home > Configurations > Web Portal > Virtual Admin Units.
- Expand the Active Directory node and select AD Users.
- Click the three dots button next to the AD User Suspend configuration option.
- Apply the required suspend configuration.
Example for Suspend User web action - AD Suspend configuration
- In the Administrator Console navigate to Home > Configurations > Web Portal > Web Actions.
- Expand the Active Directory node and scroll down to the Suspend User action.
- Click the three dots button next to the AD User Suspend configuration option.
- Apply the required suspend configuration.
To create multiple delegated Suspend flows
To create multiple delegated Suspend flows, such as one for temporary leave and another for termination, follow these steps:
- Copy the existing Suspend User (or Group, or Computer) action.
- Rename the copied action to match your specific scenario.
- Link the copied action to the required configurations.
- Add the copied Web Action to the relevant Web Queries.
For detailed instructions on adding and modifying Web Actions, refer to the following article:
New Suspend Functionality
Summary
AD User Suspend
- Change CN
- Exclude groups from removal during the suspend
- Home folder processing
- Transfer group ownership
- Transfer subordinates
M365 User Suspend
- Transfer subordinates
- Change M365 attributes
- Set manager for Forward address
- Delete inbox rules
- Delegate mailbox access
- Retire devices via Intune
Other new functionality
- Bulk Undo suspend rules
- AD Computer suspend
- Scheduled Operations (see below for details)
- Notifications (see below for details)
Scheduled Delayed Operations
The Suspend Configurations feature includes a section for Scheduled Delayed Operations. In this section, you can add operations that will run either during Suspend or a specified number of days after Suspend.
Each scheduled operation, including Scheduled Suspend and Undo Suspend, creates a Work Item that will be processed by the Process Scheduled Suspend Operations rule. The Process Scheduled Suspend Operations rule must be enabled and scheduled for these operations to execute correctly. Canceling a scheduled operation will cancel all associated work items, which will be documented in the Change History.
Scheduled Suspend Operations Available for All Configuration Types
- Custom Script: Run a custom script when Suspend and Undo Suspend are executed. The Custom Script option has two sections: one for the Suspend script and another for the Undo Suspend script.
Operations Available in Active Directory Suspend Configurations
- Relocate Object to OU: This operation will move objects in each managed domain to the selected Organizational Unit (OU).
- Delete AD Object: This operation will delete the suspended Active Directory object and, optionally, the related Microsoft 365 object.
Operations Available in Microsoft 365 User Suspend Configurations
- Relocate to AU: This operation moves users within the tenant from all current Administrative Units to the selected Administrative Unit.
- Remove or Replace License: This operation will remove all existing directly assigned licenses and optionally assign a new license to replace them.
- Convert to Shared Mailbox: This operation will convert the user's mailbox to a shared mailbox.
- Put on Litigation Hold: This operation will enable litigation hold for the specified period.
- Delete Azure Object: This operation will delete the suspended Azure object and, optionally, bypass the Microsoft 365 recycle bin.
Notifications
Suspend Configurations have an Email Notification section. You can configure email notifications that will be sent based on events that are different for different Suspend Configurations. Each event has its own recipients, default subject, message, and drop-down options. It is possible to configure multiple messages per event.
Events that are available to all Suspend Configurations:
- On Suspend
- On Error
- On Scheduled Operation Suspend
- On Scheduled Operation Error.
Events that are specific to AD User Suspend Configurations:
- Access to Home Folder Provided.
Events that are specific to Microsoft 365 User Suspend Configurations:
- OneDrive Owner Changed
- Mailbox Delegates Added.
Events that are available for both AD User and Microsoft 365 User Suspend Configurations:
- Group Transferred
- Subordinates Transferred.
Change History
All Suspend operation details for all object types are now displayed in the Change History, even if Suspend was performed by an automation rule. Change History report for Suspend and Undo Suspend has a Summary section with operation status: OK, Error, Warning, and Canceled. Other sections correspond to the Suspend Configuration sections that allow easy troubleshooting.
New Automation Rules
The following Suspend rules have been added:
- AD Users | Suspend
- Text file | Suspend AD Users
- Import SQL Data | Suspend AD Users
- Import Oracle Data | Suspend AD Users
- AD Groups | Suspend
- AD Computers | Suspend
- Report on Suspended AD Objects and Scheduled Operations
- Suspend Computer web action
- Undo Suspend (Computer) web action
- AD Users | Undo Suspend
- AD Groups | Undo Suspend
- AD Computers | Undo Suspend
- Microsoft 365 User | Suspend
- Microsoft 365 User | Undo Suspend
- Text file | Suspend Microsoft 365 Users
- Import SQL Data | Suspend Microsoft 365 Users
- Import Oracle Data | Suspend Microsoft 365 Users
- Report on Suspended Microsoft 365 Users and Scheduled Operations
- Process scheduled suspend operations
Change History
Version | Notes |
---|---|
10.3.0 | The functionality has been added to the product. |
Comments
0 comments
Please sign in to leave a comment.