Select the domain controller to run the rule.

Use this setting to prevent the user their access to Microsoft 365 account.

Specify if:

• Delete all authentication methods and sign-out of all sessions.

• Keep methods and sign out of all sessions.

• Keep methods and sessions.

Define whether to generate a random password for a user after suspension or not.

Hide a user from a Global Address List.

When set to Yes, if the AD user has a remote mailbox and archive mailbox associated, both have to be removed with license removal.

To preserve the user mailbox and archive mailbox data, either set this setting to No or set Convert to Shared mailbox setting to Yes.

If Remove license above is set to Yes, this will attempt to assign the replacement licenses listed here.

Enter the SkuID of the licenses that should be assigned separated by a semicolon, e.g. EXCHANGESTANDARD; EXCHANGE_S_ARCHIVE_ADDON.

NOTE: This option does not work if the Litigation  Hold option is enabled for delayed license removal.

• Specify No, revoke license immediately to disable the Litigation Hold, and revoke the license immediately after a user is suspended.

• Specify Yes, revoke license after litigation hold duration to place the mailbox on litigation hold and revoke a license after the mailbox was put on litigation hold. Putting mailbox on litigation hold usually takes some time. The license will be revoked in a day in this case. 

• Specify Yes, revoke license after litigation hold assignment has been completed to place the mailbox on litigation hold and revoke a license after the litigation hold assignment has been completed.

After a mailbox is placed on litigation hold, messages can't be deleted from the mailbox. Deleted items and all versions of changed items are retained in the Recoverable Items folder. Items that are purged from the dumpster are also retained and the items are held indefinitely.

If you enable litigation hold, single-item recovery quotas aren't applied.

Specify the number of days the mailbox items are held if the mailbox is placed on litigation hold. The duration is calculated from the date a mailbox item is received or created.

IMPORTANT: Cayosoft recommends converting the user mailbox to a shared mailbox after suspending action. In this case, the mailbox data and archive data don't get lost, and it allows you to avoid errors during undo suspend operation. For information about Undo Suspend Office 365 account, please see this Undo Suspend | Office 365 User.

NOTE: If a user account is converted to a shared mailbox, it must remain synced. If the Active Directory account is deleted or moved out of sync scope, then the cloud account gets deleted too.

NOTE: When a linked mailbox gets suspended, the Convert to Shared mailbox step is skipped. Before running suspend for a linked mailbox be sure that Azure AD sync was run.

• Specify Yes to convert to Shared mailbox.

• Specify Yes and grant manager full permissions on mailbox to convert to the shared mailbox and give the manager access to a user mailbox.

• Specify Yes and grant manager + delegates full permissions on mailbox to convert to the shared mailbox and give the manager and delegates access to a user mailbox.

• Specify Yes and grant delegates full permissions on mailbox to convert to the shared mailbox and give the delegates access to a user mailbox.

• Specify No to keep the mailbox as is, without converting to a shared mailbox.

• Specify No and grant manager full permissions on mailbox to not convert to the shared mailbox and grant manager full permissions on this mailbox.

You can specify delegates who will have the access to a user mailbox after this user is suspended. For details, please see the previous setting Convert to Shared mailbox.

• Specify No if you don't need to get emails that will be sent to suspended users.

• Specify Forward local to forward emails sent to suspended users to the local mailbox.

• Specify Forward External Mailbox to forward emails sent to suspended users to the external mailbox.

You can specify the forward address to forward emails sent to suspended users.

Specify Active Directory attribute to store the license removal date.

Email Connectivity

Specify these settings to enable or disable access to the mailbox by using the corresponding protocol clients.

When set to Yes, shared mailbox permissions will be removed after user suspension.

NOTE: This functionality works through the Cayosoft Guardian Integration extension, which needs to be configured to get per-user mailbox permissions.

Remote Device Wipe (Exchange ActiveSync)

Specify whether to wipe from a user's phone all corporate data after this user is suspended.

NOTE: If you are using Intune, you should be using Intune to trigger data removal, not Exchange. Depending on the scenario, it could be accomplished via the App Protection Policy selective wipe, or Device enrollment retire/wipe commands.

You can specify an email address for the remote device wipe confirmation.

Autoreply Message

Specify autoreply message text.

OneDrive settings

• Specify Do not change if you don't want to change personal site admin after a user is suspended.

• Specify Set specified account(s) if you want to change personal site admin after a user is suspended.

• Specify Try to set manager as owner if empty or disabled then assign specified account(s) if you want to change personal site admin after a user is suspended.

You can specify one or more User Principal Names separated by ";" that will be new personal site admins after a user is suspended.

Group Membership and Ownership

When set to Yes, the account will be removed from all Entra ID security groups, Microsoft Groups, Teams, and Distribution Lists.

You can add group display names where the user should remain as member/owner on suspension separated by a semi-colon.

Example: name1;name2