Modern Suspend Configuration

Overview

IMPORTANT: The legacy Cayosoft Suspend™ configuration will be retired on June 1st, 2026. The legacy configuration will be removed in the product release following the retirement and will be no longer supported. The legacy Suspend rules will remain functional in older versions of Cayosoft Administrator with no support provided by Cayosoft. Migrate to the modern Suspend configuration before the retirement.

Cayosoft Suspend™ allows administrators to temporarily or permanently suspend Active Directory (AD) users or groups, ensuring efficient management and preventing costly security and compliance violations. This feature is integrated into the Cayosoft Administrator Console under the new Suspend Configurations node.

Administrators can configure suspension settings for various object types, with dedicated suspension configurations for each type, ensuring tailored and precise control over user and group management. Once suspend configuration is available for the following object types:

• AD User

• AD Group

• AD Computer (New)

• Microsoft 365 User

NOTE: There is no direct upgrade procedure for switching to the new Suspend™ functionality. This means you must manually recreate your existing legacy Suspend rules and configurations.

Previously suspended users can still be unsuspended, but you can no longer suspend users using the legacy methods.

In order to switch over to modern Suspend™, you need to set the Use modern suspend setting to Yes in the Cayosoft Administrator Console > Active Directory extension.

For new installations, this setting is set to Yes by default. For installations upgraded to 10.3 or above this setting is set to No by default.

For Suspend upgrade details, please see this article How Suspend™ functionality works after the upgrade to 10.3.

Default Suspend configurations

Follow the steps below to configure predefined Suspend rules provided by Cayosoft experts:

1. In the Cayosoft Administrator Console, navigate to Home > Rules > Suspend Configuration.

2. Locate the rule you want to configure. For example, AD computer Suspend (default configuration).

3. Edit the rule based on the guidelines provided in the following article: AD Computers | Suspend rule

4. Save your edits.

Available default Suspend configurations

Each Suspend™ Configuration has a number of settings that are split into sections and should be customized based on your requirements. Here is the list of Suspend Configurations with links to corresponding documentation articles:

1. AD Users | Suspend rule

2. AD Users | Undo Suspend rule

3. AD Groups | Suspend rule

4. AD Computers | Suspend rule

5. Microsoft 365 User | Suspend rule

6. Microsoft 365 User | Undo Suspend rule.

For the full list of the new suspend automation rules, refer to the following article: New Automation Rules.

Creating a custom Suspend configuration

To create a custom Suspend™ Configuration, do the following:

1. In the Cayosoft Administrator Console, navigate to Rules > Suspend Configurations.

2. Select any rule and click +New under Actions.

3. In the New Rule dialog, select a template.

4. Click Show all templates to review all predefined suspend templates.

5. Click Next to continue.
   

6. On the Rule Output step, configure conditions for the rule output.

7. In the last step, provide a name and description for a new rule, and specify labels.

8. Click Finish to save your changes.

Running a modern Suspend configuration

Each Suspend rule and Web Action can select a specific Suspend™ Configuration for AD and M365 objects during execution. You can create various Suspend™ scenarios by applying different configurations to different rules.

To run default Suspend™ configurations, do the following:

1. In the Cayosoft Administrator Console navigate to Home > Configuration > Connected Systems Extensions > Active Directory.

2. In the Configure Active Directory dialog, expand the Cayosoft Suspend Default Configurations.

All default automation rules and Web Actions refer to this global setting.

3. Complete the following fields:

• Use Modern Suspend Rules and Configurations: Select Yes.

• Default AD users Suspend configuration: A preconfigured set of settings that determines how Active Directory (AD) user accounts are handled when they are suspended.

• Default AD users Undo Suspend configuration: A preconfigured set of actions that determines how Active Directory (AD) user accounts are restored to their active state after being suspended.

• Default AD group Suspend configuration: A preconfigured set of actions that determines how Active Directory (AD) groups are handled when they are suspended.

• Default AD computer Suspend configuration: A preconfigured set of actions that determines how Active Directory (AD) computer accounts are handled when they are suspended.

Instead of modifying the global Suspend configuration, you can customize the configuration at these levels:

• Virtual Admin Unit

• Web Query

• Individual Web Actions

• Individual Suspend automation rules

Example for AD Users virtual admin unit - AD User Suspend configuration

1. In the Cayosoft Administrator Console, navigate to Home > Configurations > Web Portal >

   Virtual Admin Units.

2. Expand the Active Directory node and select AD Users.

3. Click the three dots    button next to the AD User Suspend configuration option.

4. Apply the required suspend configuration.

Example for Suspend User web action - AD Suspend configuration

1. In the Cayosoft Administrator Console, navigate to Home > Configurations > Web Portal > Web Actions.

   

2. Expand the Active Directory node and scroll down to the Suspend User action.

3. Click the three dots    button next to the AD User Suspend configuration option.

4. Apply the required suspend configuration.

To create multiple delegated Suspend flows

To create multiple delegated Suspend™ flows, such as one for temporary leave and another for termination, follow these steps:

1. Copy the existing Suspend User (or Group, or Computer) action.

2. Rename the copied action to match your specific scenario.

3. Link the copied action to the required configurations.

4. Add the copied Web Action to the relevant Web Queries.

For detailed instructions on adding and modifying Web Actions, refer to the following article: How to add, remove or re-arrange Web actions within a Web Query.

New Suspend Functionality

AD User Suspend

• Change CN

• Exclude groups from removal during the suspend

• Home folder processing

• Transfer group ownership

• Transfer subordinates

M365 User Suspend

• Transfer subordinates

• Change M365 attributes

• Set manager for

• Forward address

• Delete inbox rules

• Delegate mailbox access

• Retire devices via Intune

Other new functionality

• Bulk Undo suspend rules

• AD Computer suspend

• Scheduled Operations (see below for details)

• Notifications (see below for details)

Scheduled Delayed Operations

The Suspend Configurations feature includes a section for Scheduled Delayed Operations. In this section, you can add operations that will run either during Suspend or a specified number of days after Suspend™.

Each scheduled operation, including Scheduled Suspend and Undo Suspend, creates a Work Item that will be processed by the Process Scheduled Suspend Operations rule. The Process Scheduled Suspend Operations rule must be enabled and scheduled for these operations to execute correctly. Canceling a scheduled operation will cancel all associated work items, which will be documented in the Change History.

Scheduled Suspend Operations Available for All Configuration Types

Custom Script: Run a custom script when Suspend and Undo Suspend are executed.

The Custom Script option has two sections: one for the Suspend script and another for the Undo Suspend script.

Operations Available in Active Directory Suspend Configurations

• Relocate Object to OU: This operation will move objects in each managed domain to the selected Organizational Unit (OU).

• Delete AD Object: This operation will delete the suspended Active Directory object and, optionally, the related Microsoft 365 object.

Operations Available in Microsoft 365 User Suspend Configurations

• Relocate to AU: This operation moves users within the tenant from all current Administrative Units to the selected Administrative Unit.

• Remove or Replace License: This operation will remove all existing directly assigned licenses and optionally assign a new license to replace them.

• Convert to Shared Mailbox: This operation will convert the user's mailbox to a shared mailbox.

• Put on Litigation Hold: This operation will enable litigation hold for the specified period.

• Delete Azure Object: This operation will delete the suspended Azure object and, optionally, bypass the Microsoft 365 recycle bin.

Notifications

Suspend Configurations have the Email Notification section. You can configure email notifications that will be sent based on events that are different for different Suspend Configurations. Each event has its own recipients, default subject, message, and drop-down options. It is possible to configure multiple messages per event.

Events that are available to all Suspend Configurations:

• On Suspend

• On Error

• On Scheduled Operation Suspend

• On Scheduled Operation Error.

• Events that are specific to AD User Suspend Configurations:

• Access to Home Folder Provided.

• Events that are specific to Microsoft 365 User Suspend Configurations:

• OneDrive Owner Changed

• Mailbox Delegates Added.

• Events that are available for both AD User and Microsoft 365 User Suspend Configurations:

• Group Transferred

• Subordinates Transferred.

Change History

All Suspend operation details for all object types are now displayed in the Change History, even if Suspend was performed by an automation rule.

The Change History report for Suspend and Undo Suspend has a Summary section with operation status: OK, Error, Warning, and Canceled. Other sections correspond to the Suspend Configuration sections that allow easy troubleshooting.

New Automation Rules

The following Suspend rules have been added:

1. AD Users | Suspend

2. Text file | Suspend AD Users

3. Import SQL Data | Suspend AD Users

4. Import Oracle Data | Suspend AD Users

5. AD Groups | Suspend

6. AD Computers | Suspend

7. Report on Suspended AD Objects and Scheduled Operations

8. Suspend Computer web action

9. Undo Suspend (Computer) web action

10. AD Users | Undo Suspend

11. AD Groups | Undo Suspend

12. AD Computers | Undo Suspend

13. Microsoft 365 User | Suspend

14. Microsoft 365 User | Undo Suspend

15. Text file | Suspend Microsoft 365 Users

16. Import SQL Data | Suspend Microsoft 365 Users

17. Import Oracle Data | Suspend Microsoft 365 Users

18. Report on Suspended Microsoft 365 Users and Scheduled Operations

19. Process scheduled suspend operations

Change History