Offboard User Permanently

Description

Permanently offboards a user by revoking access, disabling or deleting the account, adjusting group and license assignments, and optionally exporting memberships. Optionally removes or replaces group ownerships when required.

Location

User → General → Offboard User Permanently

Full Runbook name

rjgit-user_general_offboard-user-permanently

Permissions

Application permissions

• Type: Microsoft Graph

  • User.ReadWrite.All

  • Group.ReadWrite.All

  • GroupMember.ReadWrite.All

Permission notes

Azure IaaS: Contributor access on subscription or resource group used for the export

RBAC roles

• User administrator

Parameters

UserName

User principal name of the target user.

DeleteUser

"Delete user object" (final value: $true) or "Keep the user object" (final value: $false) can be selected as action to perform. If set to true, the user object will be deleted. If set to false, the user object will be kept but access will be revoked and sign-in will be blocked.

DisableUser

If set to true, disables the user account for sign-in.

RevokeAccess

If set to true, revokes the user's refresh tokens and active sessions.

exportResourceGroupName

Azure Resource Group name for exporting data to storage.

exportStorAccountName

Azure Storage Account name for exporting data to storage.

exportStorAccountLocation

Azure region used when creating the Storage Account.

exportStorAccountSKU

SKU name used when creating the Storage Account.

exportStorContainerGroupMembershipExports

Container name used for group membership exports.

exportGroupMemberships

If set to true, exports the user's current group memberships to Azure Storage.

ChangeLicensesSelector

Controls how directly assigned licenses should be handled.

ChangeGroupsSelector

"Change" and "Remove all" will both honour "groupToAdd"

GroupToAdd

Group that should be added or kept when group changes are enabled.

GroupsToRemovePrefix

Prefix used to remove groups matching a naming convention.

RevokeGroupOwnership

"Remove/Replace this user's group ownerships" (final value: $true) or "User will remain owner / Do not change" (final value: $false) can be selected as action to perform. If set to true, the runbook will attempt to remove the user from group ownerships. If the user is the last owner of a group, it will attempt to assign a replacement owner; if that fails, it will skip ownership change for that group and log it for manual follow-up.

ManagerAsReplacementOwner

If set to true, uses the user's manager as replacement owner where applicable.

ReplacementOwnerName

User who will take over group or resource ownership if required.

Back to Runbook Reference overview