Articles in this section

See more
Print

Suspend | Office 365 User and Guest rule

Avatar
Tatiana Golubovich
  • Updated
Follow

 

Rule description

This rule provides suspend possibility for Office 365 users and Guests.

Important: Ofice 365 license is required (including Exchange license) for Office 365 user account in order for all settings in this rule to work properly.

An instance of the rule is automatically created during installation under the HOME > RULES > WebAdmin Rules (Pre-configured) folder. This instance is linked to Suspend web action and to AD Users | Suspend Expired AD UsersAD Users | Suspend Users, and other rules as a post-action rule in the Rules to run after section. 

Note 1: On-Premises Exchange Attributes must be present in Active Directory for future license revocation to work.
Note 2: Starting from version 7.3.0, this rule also supports mapping between Active Directory user account and Cloud user account by anchor attributes. For details, please see How to map Active Directory users to Office 365 cloud users article.

 

When to use this rule

You typically do not need to create an instance of this rule, as it is automatically created during installation and linked to the Suspend (AD and Office 365) and rules, listed above. The rule is executed when you perform Suspend on Office 365 user account or Suspend\Scheduled Suspend action on Active Directory user accounts if they have corresponding Office 365 user account.

When you perform Suspend action for Active Directory user account and also need to suspend the corresponding Office 365 account, you need to set Suspend related Office 365 user option to Yes. You can find this option in Suspend Active Directory user action and rules listed below:

  1. AD Users | Process Scheduled Suspends
  2. AD Users | Suspend Expired AD Users
  3. AD Users | Suspend Users
  4. Office 365 Users Inactive | Suspend Users
  5. Text file | Suspend AD Users
  6. Import SQL Data | Suspend AD Users
  7. Import Oracle Data | Suspend AD Users

 

Rule Settings

Query Section

Setting name Description*
More options  

Domain controller

Select the domain controller to run the rule.

Credentials

Specify credentials to the selected domain controller.

 

Action Section

Setting name Description

Prevent Sign-in

Use this setting to prevent the user their access to Office 365 account.

Scramble Password

Define whether to generate a random password for a user after suspend or not.

Hide from GAL

Hide a user from a Global Address List.

Remove license, mailbox and archive mailbox

When set to Yes, if AD user has a remote mailbox and archive mailbox associated, both have to be removed with license removal.

To preserve user mailbox and archive mailbox data, either set this setting to No or set Convert to Shared mailbox setting to Yes.

Put mailbox on Litigation Hold

Specify No, revoke license immediately to disable the Litigation Hold and revoke license immediately after a user is suspended.

Specify Yes, revoke license after litigation hold duration to place the mailbox on litigation hold and revoke a license after the litigation hold duration.

Specify Yes, revoke license after litigation hold assignment has been completed to place the mailbox on litigation hold and revoke a license after the litigation hold assignment has been completed.

After a mailbox is placed on litigation hold, messages can't be deleted from the mailbox. Deleted items and all versions of changed items are retained in the Recoverable Items folder. Items that are purged from the dumpster are also retained and the items are held indefinitely. If you enable litigation hold, single-item recovery quotas aren't applied.

Litigation hold duration (days)

Specify the number of days the mailbox items are held if the mailbox is placed on litigation hold. The duration is calculated from the date a mailbox item is received or created.

Convert to Shared Mailbox
Important: Cayosoft recommends converting user mailbox to shared mailbox after suspending action. In this case, the mailbox data and archive data don't get lost, and it allows to avoid the errors during undo suspend operation. For information about Undo Suspend Office 365 account, please see this KB20180531-1 article.

Specify Yes to convert to Shared mailbox.

Specify Yes and grant manager full permissions on mailbox to convert to shared mailbox and give the manager the access to a user mailbox.

Specify Yes and grant manager + delegates full permissions on mailbox to convert to shared mailbox and give the manager and delegates the access to a user mailbox.

Specify Yes and grant delegates full permissions on mailbox to convert to shared mailbox and give the delegates the access to a user mailbox.

Specify No to keep the mailbox as is, without converting to a shared mailbox.

Delegates (Shared Mailbox)

You can specify delegates who will have the access to a user mailbox after this user is suspended. For details, please see the previous setting Convert to Shared mailbox.

Set Forward address

Specify No if you don't need to get emails that will be sent to suspended users.

Specify Forward local to forward emails sent to suspended users to the local mailbox.

Specify Forward External Mailbox to forward emails sent to suspended users to the external mailbox.

Forward Address

You can specify the forward address to forwarding emails sent to suspended users.

AD attribute to store license remove date

Specify Active Directory attribute to store license remove the date.

Email Connectivity

 

Disable Exchange ActiveSync

Disable OWA for Devices

Disable MAPI

Disable POP3

Disable IMAP4

Specify these settings to enable or disable access to the mailbox by using the corresponding protocol clients.

 

Remote Device Wipe (Exchange ActiveSync)

 

Delete all data from a mobile phone via Exchange ActiveSync

Specify whether to wipe from a user phone all corporate data after this user is suspended.

Note: If you are using Intune, you should be using Intune to trigger data removal, not Exchange. Depending on the scenario, it could be accomplished via App Protection Policy selective wipe, or Device enrollment retire/wipe commands.

Email address for the remote device wipe confirmation (optional)

You can specify an email address for the remote device wipe confirmation.

Autoreply Message

 

Set Autoreply Message

 Specify whether to set autoreply message after a user is suspended and don't have access to his mailbox anymore. 

Autoreply Message

Specify autoreply message text.

OneDrive settings

 

Change Personal Site Admin

Specify Do not change if you don't want to change personal site admin after a user is suspended.

Specify Set specified account(s) if you want to change personal site admin after a user is suspended.

Specify Try to set manager as owner if empty or disabled then assign specified account(s) if you want to change personal site admin after a user is suspended.

New OneDrive Personal Site owner(s)

You can specify one or more User Principal Names separated by ";" that will be new personal site admins after a user is suspended.

* Certain details and information for the settings are taken from the Microsoft Docs.  

 

Output Section

This section defines the output format of this rule. 

To get more information about this section, please see the Output section article.

 

Enforce/Schedule section

This section defines the schedule for how often to run the rule.

To get more information about this section, please see the Enforce/Schedule section article. 

 

Change History

Version Notes
8.1.0

Suspend for Office 365 guests was added.
7.3.0

The rule supports mapping between Active Directory user account and Cloud user account by anchor attributes.
6.4.0

These settings are renamed:

1. Remote Device Wipe > Remote Device Wipe (Exchange ActiveSync)

2. Delete all data from a mobile phone > Delete all data from a mobile phone via Exchange ActiveSync

3. Note added.

 

 

 

Related articles

Comments

0 comments

Please sign in to leave a comment.