Rule description
This rule provides suspension possibility for Office 365 users and Guests.
An instance of the rule is automatically created during installation under the HOME > RULES > WebAdmin Rules (Pre-configured) folder. This instance is linked to Suspend web action and to AD Users | Suspend Expired AD Users, AD Users | Suspend Users, and other rules as a post-action rule in the Rules to run after section.
When to use this rule
You typically do not need to create an instance of this rule, as it is automatically created during installation and linked to the Suspend (AD and Office 365) and rules, listed above. The rule is executed when you perform Suspend on Office 365 user account or Suspend\Scheduled Suspend action on Active Directory user accounts if they have corresponding Office 365 user accounts.
When you perform Suspend action for an Active Directory user account and also need to suspend the corresponding Office 365 account, you need to set Suspend related Office 365 user option to Yes. You can find this option in Suspend Active Directory user action and rules listed below:
- AD Users | Process Scheduled Suspends
- AD Users | Suspend Expired AD Users
- AD Users | Suspend Users
- Office 365 Users Inactive | Suspend Users
- Text file | Suspend AD Users
- Import SQL Data | Suspend AD Users
- Import Oracle Data | Suspend AD Users
Rule Settings
Query Section
| Setting name | Description* |
|---|---|
| More options | |
|
Domain controller |
Select the domain controller to run the rule. |
|
Credentials |
Specify credentials to the selected domain controller. |
Action Section
| Setting name | Description |
|---|---|
|
Prevent Sign-in |
Use this setting to prevent the user their access to Office 365 account. |
|
Authentication methods and sessions |
Specify if:
|
|
Scramble Password |
Define whether to generate a random password for a user after suspension or not. |
|
Hide from GAL |
Hide a user from a Global Address List. |
|
Remove license, mailbox and archive mailbox |
When set to Yes, if the AD user has a remote mailbox and archive mailbox associated, both have to be removed with license removal. To preserve the user mailbox and archive mailbox data, either set this setting to No or set Convert to Shared mailbox setting to Yes. |
|
Assign replacement license |
If 'Remove license' above is set to 'Yes', this will attempt to assign the replacement licenses listed here. Enter the SkuID of the licenses that should be assigned separated by a semicolon, e.g. "EXCHANGESTANDARD; EXCHANGE_S_ARCHIVE_ADDON. Note: this option does not work if the "Litigation Hold" option is enabled for delayed license removal. |
|
Put mailbox on Litigation Hold |
Specify No, revoke license immediately to disable the Litigation Hold, and revoke the license immediately after a user is suspended. Specify Yes, revoke license after litigation hold duration to place the mailbox on litigation hold and revoke a license after the mailbox was put on litigation hold. Putting mailbox on litigation hold usually takes some time. The license will be revoked in a day in this case. Specify Yes, revoke license after litigation hold assignment has been completed to place the mailbox on litigation hold and revoke a license after the litigation hold assignment has been completed. After a mailbox is placed on litigation hold, messages can't be deleted from the mailbox. Deleted items and all versions of changed items are retained in the Recoverable Items folder. Items that are purged from the dumpster are also retained and the items are held indefinitely. If you enable litigation hold, single-item recovery quotas aren't applied. |
|
Litigation hold duration (days) |
Specify the number of days the mailbox items are held if the mailbox is placed on litigation hold. The duration is calculated from the date a mailbox item is received or created. |
|
Convert to Shared Mailbox |
Important: Cayosoft recommends converting the user mailbox to a shared mailbox after suspending action. In this case, the mailbox data and archive data don't get lost, and it allows you to avoid errors during undo suspend operation. For information about Undo Suspend Office 365 account, please see this Undo Suspend | Office 365 User rule – Cayosoft Help Center.
Note 1: If a user account is converted to a shared mailbox, it must remain synced. If the Active Directory account is deleted or moved out of sync scope, then the cloud account gets deleted too.
Note 2: When a linked mailbox gets suspended, the Convert to Shared mailbox step is skipped. Before running suspend for a linked mailbox be sure that Azure AD sync was run.
Specify Yes to convert to Shared mailbox. Specify Yes and grant manager full permissions on mailbox to convert to the shared mailbox and give the manager access to a user mailbox. Specify Yes and grant manager + delegates full permissions on mailbox to convert to the shared mailbox and give the manager and delegates access to a user mailbox. Specify Yes and grant delegates full permissions on mailbox to convert to the shared mailbox and give the delegates access to a user mailbox. Specify No to keep the mailbox as is, without converting to a shared mailbox. Specify No and grant manager full permissions on mailbox to not convert to the shared mailbox and grant manager full permissions on this mailbox. |
|
Delegates (Shared Mailbox) |
You can specify delegates who will have the access to a user mailbox after this user is suspended. For details, please see the previous setting Convert to Shared mailbox. |
|
Set Forward address |
Specify No if you don't need to get emails that will be sent to suspended users. Specify Forward local to forward emails sent to suspended users to the local mailbox. Specify Forward External Mailbox to forward emails sent to suspended users to the external mailbox. |
|
Forward Address |
You can specify the forward address to forward emails sent to suspended users. |
|
AD attribute to store license remove date |
Specify Active Directory attribute to store the license removal date. |
|
Email Connectivity |
|
|
Disable Exchange ActiveSync Disable OWA for Devices Disable MAPI Disable POP3 Disable IMAP4 |
Specify these settings to enable or disable access to the mailbox by using the corresponding protocol clients.
|
|
Remove Shared Mailbox permissions |
When set to Yes, shared mailbox permissions will be removed after user suspension. Note: This functionality works through the Cayosoft Guardian Integration extension, which needs to be configured to get per-user mailbox permissions.
|
|
Remote Device Wipe (Exchange ActiveSync) |
|
|
Delete all data from a mobile phone via Exchange ActiveSync |
Specify whether to wipe from a user's phone all corporate data after this user is suspended. Note: If you are using Intune, you should be using Intune to trigger data removal, not Exchange. Depending on the scenario, it could be accomplished via App Protection Policy selective wipe, or Device enrollment retire/wipe commands.
|
|
Email address for the remote device wipe confirmation (optional) |
You can specify an email address for the remote device wipe confirmation. |
|
Autoreply Message |
|
|
Set Autoreply Message |
Specify whether to set an autoreply message after a user is suspended and doesn't have access to his mailbox anymore. |
|
Autoreply Message |
Specify autoreply message text. |
|
OneDrive settings |
|
|
Change Personal Site Admin |
Specify Do not change if you don't want to change personal site admin after a user is suspended. Specify Set specified account(s) if you want to change personal site admin after a user is suspended. Specify Try to set manager as owner if empty or disabled then assign specified account(s) if you want to change personal site admin after a user is suspended. |
|
New OneDrive Personal Site owner(s) |
You can specify one or more User Principal Names separated by ";" that will be new personal site admins after a user is suspended. |
|
Group Membership and Ownership |
|
|
Remove from cloud groups |
When set to Yes, the account will be removed from all Azure AD security groups, Microsoft Groups, Teams, and Distribution Lists. |
|
Exclude these cloud groups |
You can add group display names where the user should remain as member/owner on suspension separated by a semi-colon. Example: name1;name2 |
|
Transfer group ownership to user manager |
When set to Yes, the user manager will be added as an owner to all groups previously owned by this account. The manager account must have Teams license assigned to take ownership of a team. If the user does not have a manager, a connection account will be added as a group owner. Note: Transfer group ownership works only for MS 365 security and unified groups.
|
* Certain details and information for the settings are taken from Microsoft Docs.
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
| Version | Notes |
|---|---|
| 9.4.0 |
Sign out of all sessions setting has been replaced with Authentication methods and sessions setting. |
| 9.1.0 |
These settings have been added:
|
| 8.3.0 |
|
| 8.1.0 |
Suspend for Office 365 guests was added. |
| 7.3.0 |
The rule supports mapping between the Active Directory user account and the Cloud user account by anchor attributes. |
| 6.4.0 |
|
Comments
0 comments
Please sign in to leave a comment.