Configure OneDrive access delegation up on account removal

When you remove a user from Office 365 or Active Directory, you can decide what to do with this user’s content, e-mail account and related product licenses. For more information on this refer to my previous article- Things to consider when deleting a user account from an Office 365 subscription.

Access%20Delegation-01

With this article, we will discover how we can configure OneDrive to automatically delegate access to someone else up on a user’s departure (after the removal of the account). In simple terms, let’s configure delegation.

Default setting for a deleted user is- the access granted to the Manager of the particular user for 30 days period (unless you have customized the retention period). But, what if a user has no Manager defined and access delegation is disabled, too ? In that case, OneDrive will follow the steps described in my previous article (Things to consider when deleting a user account from Office 365). So make sure you read through that, too.

Here are the steps:

Sign in to Office 365 Admin Center as an Global Admin. If you are prompted with a Access message, probably you do not have Global Admin rights. You may either have to request or perhaps you may not be the right person to do this task in your organization so refer to the right guy.

Next up, Expand the navigation with “Show all” option.

clip_image002_thumb[2]

Head on to “All admin centers

clip_image003_thumb[2]

And choose “SharePoint Admin Center

1

From here let’s head on to Classic SharePoint Admin site because these settings we are going to manage are not yet available in Modern SharePoint Admin Interface.

2

Once you are in the classic page, go to “User profiles” tab.

4 

Then “Setup My Sites” from My Site Settings tab.

3

Now scroll down to the bottom of Setup My Sites page till you see the following screen.

Enable the access delegation here and define a secondary owner as well. As it described well in the description:

  • Access delegation option allows OneDrive to automatically delegate the control to Manager up on any user identity removal.
  • If you define a secondary owner, that might be useful in a scenario where the Manager of a particular user is unavailable but OneDrive is still delegated to the secondary owner.

5

Additionally, you can enable this option as well. It simply means that you can have a one person who is the secondary owner of all user’s Mysite/OneDrive content.

6

Read my previous post to understand the fundamental things to be considered when deleting a user account from Office 365 and Customize OneDrive retention period article to set your own retention period for OneDrive accounts.

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor.

Advertisement

Customize Office 365 OneDrive Retention Period

OneDrive has the capability to hold content of a user account for a desired period of time which was removed from Active directory. As an Office 365 Admin, you can control the retention period in organization level. To do this, you can follow these simple steps.

Open up Office 365 Admin center from the browser and head on to Storage blade.

clip_image001

Expand the navigation with “Show all” option.

clip_image002

Head on to “All admin centers”

clip_image003

Click on “OneDrive” Admin Center

clip_image004

Navigate to Storage tab. You will see the default retention period here. If you wish to extend the period for any deleted user, go ahead and change the value to desired period of time and save it.

clip_image005

Read this post to understand the fundamental things to be considered when deleting a user account from Office 365.

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor.

I’ll be speaking at aOS Conference Kuala Lampur

Manoj V Karunarathne-01[25650]

DATE:

TIME:

VENUE:

FEE:

23RD OCTOBER 2018

TUESDAY

09.00AM TO 5.30PM

Registration starts at 8.30am

EVENT FLOOR

MICROSOFT MALAYSIA,

18TH FLOOR, MENARA SHELL.

(Microsoft New Office)

FREE ENTRANCE

**Register NOW! Seats are on first come first serve basis**

REGISTER HERE!!!

Who Is This For?

The content is suited to business people, managers, CIOs, executives, and end users.

There is also content for Technical roles (IT Pros, Developers and Hands on Power Users) to learn the how and why of many Office 365 (and SharePoint) apps.

If you are someone who sees the digital workplace as a way to improve the way you work, increase your team’s productivity and deliver better results – come and learn how.

· Business Decision Makers – what it can do?

· IT Pro – how to migrate or manage?

· Developers – how to build or configure it?

TIME

BUSINESS DECISION

IT PRO

DEVELOPERS

08.30 AM – 09.00 AM

Registration

09.00 AM – 09.45 AM

Opening & Key Note

10.00 AM – 10.45 AM

Transforming Your Organization into a Digital Workplace

A Deep Dive into Microsoft 365 Security

A Deep Dive into Microsoft 365 Security

11.00 AM – 11.45 AM

Delivering tangible business value with Office 365

Single Sign on and Multi Factor Authentication with Azure AD

Lean, Scrum and Low code approach of SharePoint and O365 projects

12.00 PM – 12.45 PM

Accelerate success and time-to-value for Microsoft 365 with best practices from the field

Data Leakage Prevention and Rights Management in Office365

Bot Framework with Microsoft Team

01.00 PM – 01.45 PM

Lunch

02.00 PM – 02.45 PM

The 4th Dimensional Meeting

Migrating to SharePoint Online – Real-life Experiences

Accelerating development and business with Azure Containers

03.00 PM – 03.45 PM

Bots – Changing the way we engage with technology

How your SharePoint deployment can benefit from Azure capabilities

Microsoft Graph: Get the power of Excel functions into your Web Applications

04.00 PM – 04.45 PM

All about documents in O365 and SharePoint

IOT for Beginners and IT Pros

Using Graph API to read Outlook mail for Accounting

05.00 PM – 05.30 PM

Wrap Up & Panel Discussion

Share & exchange, Worldwide

In conjunction with our inaugural ASEAN tour, aOS is bringing its global experts to mingle with Malaysia’s Azure and Office 365 user’s community to exchange ideas on how to maximize your usage and ROI from Microsoft’s cloud technologies.

CONNECT: Meet like-minded people, make new connections, build your support network. See a whole range of products and demonstrations ALL in the one place!

LEARN: Whether it be training, up-skilling or starting from scratch, the opportunities to learn from the BEST in the field are here.

EXPERIENCE: New innovation and inspiring speakers. Walk away with ideas and momentum. We bring you LOTS of what is NEW in Microsoft Office 365 and Azure.

Technologies Content – Microsoft Teams (and Groups), PowerApps, Flow, Power BI, OneDrive, Microsoft Forms, Skype for Business, Azure, Yammer, OneNote, Office 365, many 3rd party tools and our awesome line up of SharePoint content.

Business and Productivity Content – Digital Workspace, Security, Governance, Information Architecture, Collaboration, Data Migration, User Adoption, Agile Development, Mobile and Paperless Workforce.

With 18 SESSIONS (MVPs and domain experts) coming from 14 INTERNATIONAL SPEAKERS, 7 COUNTRIES this event is THE Office 365 event for this year. With limited spaces available, it is on a first come, first serve basis. Be there or be square!…. (read more here!)

Things to consider when deleting a user account from an Office 365 subscription

When an employee departs from a company, it’s part of the procedures to flush the account and take necessary actions on the content associated based on the company policies.

Associated Content Might be Crucial to your Organization:

4893ddd7-b7be-453c-a3c3-6776636f1925

OneDrive content stored by the target user shall remain for 30 days as per the default retention period. You can restore the account within 30 days or the data will be permanently flushed off. If the target user’s data is critical, you can move it to a different location (this can be performed within 30 days of account deletion).

Nevertheless, this doesnt matter if the user has a Manager defined because, by default OneDrive content of deleted users are automatically delegated to the Line Manager so that he may have the access to the content up until the end of retention period.

This is how the whole process would roll:

  1. An account is deleted from AD Sync or Office 365 User list
  2. The deletion activity is Synchronized to SPO (SharePoint Online)
  3. OneDrive will then be marked for deletion through Cleanup jobs and the deleted identity shall remain appearing in Office 365 for 30 days (or whatever the period defined in the retention)
  4. If this user has an Manager defined in his profile, the Manager will receive a an email with the access details to OneDrive of the deleted user and the Manager will have access until the retention period. At the end of the retention period, OneDrive jobs will run and execute to delete.
  5. There will be reminder emails to the relevant manager 7 days prior to the end of the retention period and after 7 days, OneDrive of this user is sent to Site Collection Recycle bin. Site Collection Recycle bin will hold it for 93 days by default (3 Months) During this period, no one has access to Shared Content of this OneDrive and you can only restore it using PowerShell.
  6. Content in the Site Collection Recycle bin will not appear in search results and eDiscovery hold also can’t locate any content resides in the bin too.

However, you can customize the retention policy to reflect your needs and set your own duration so that OneDrive will hold deleted user’s data for longer time than the default 30 days. Go ahead and check this post for changing the “Retention Policy” of OneDrive.

Licenses:

Up on removal of the user identity, you can detach the licenses associated with the account to stop unnecessarily paying for them. This option will automatically remove licenses from the target subscription. You can’t remove licenses from a subscription which has ongoing commitments (such as annual commitments and you bought it from a license partner). You will not be able to remove the licenses unless your commitment period completed.

Mailbox and Associated Aliases:

whitehall-custom-mailbox-package-shopping

By default a deleted mailbox is recoverable for 30 days, yet it depends on your retention policy. To understand more on this, read the article – Delete or restore user mailboxes in Exchange Online.

You can delegate the mailbox of a deleted account to someone else (in most cases, the Manager) and it will make the mailbox a Shared one. New owner of the mailbox shall then access it and monitor for new messages. Shared Mailbox object will appear under the Active Users list in Office 365.

Addition to that, you also can change the display name (This is recommended to do so you can easily identity the Shared Mailbox among the other identities in the Active user list of Office 365). And you may turn on “Automatic Replies“. There is a default automatic reply comes out of the box when you enable it as well. but it’s up to you if you want to have a custom one.

Active Directory:

If Active Directory is Hybrid, you have to perform the deletion from your local AD. Synchronized identities cannot be deleted from Office 365 accounts.

To remove an account:

  • Sign in to Office 365 portal from your Admin account
  • From the Admin Center, go to the Active user section and choose Users –> Active
  • Select the target user and delete

Notes: There can be exceptions such as those who have downloaded OneDrive or SharePoint content to their personal devices. There is no way to remove these type of content if user has already done it before the removal of the account so ensure you take necessary compliance actions across all formal and BYOD devices to avoid such compliance breaches. Microsoft Intune and associated EMS tools can help you meet your need on this perspective.

For detailed steps of configuring automatic access delegation, refer to this article

DISCLAIMER NOTE: This is an enthusiast post and is not sponsored by Microsoft or any other vendor.

Keep it simple: Adding bulk set of users to a SharePoint Group using REST API

Large enterprises always require bulk operations to make things faster and easier. Recently I faced a situation where hundreds of users needed to be added to SharePoint Groups. This is a time consuming task in large SharePoint setups when you have to manually add users one by one. No ! Manual approach isn’t going to work for such things.

rube-goldberg-machine-100593802-primary.idge

REST API in SharePoint can be used in this scenario to cut down the efforts and time from hours or even days to few seconds. with this post I will discuss the way I achieved this goal so that you can follow me if you are in such a situation.

Background: I have an excel sheet filled with all required users with the UserName column. This excel spreadsheet is uplaoded to the SiteAssets library. This code will be looking at this library and read the excel sheet to pick the users from it.  Simple as that !

Change the site URL attribute’s value to reflect yours and you are good to go



var i;
var l;
var a1;
var user;
var spGroup;
function AddUserFromExcel()
{
l=1;
var Excel;
Excel = new ActiveXObject(“Excel.Application”);
Excel.Visible = false;
for(l=1;l<3;l++)
{
a1=Excel.Workbooks.Open(“http://mantososp/SiteAssets/Users.xlsx?Web=1”).ActiveSheet.Cells(l,1).Value;
var a4=”Domain\\”+a1;
var clientContext = new SP.ClientContext.get_current();
var web=clientContext.get_web();
var siteGroups = clientContext.get_web().get_siteGroups();
spGroup=siteGroups.getById(4990);
user=web.ensureUser(a4);
var userCollection=spGroup.get_users();
userCollection.addUser(user);
clientContext.load(user);
clientContext.load(spGroup);
clientContext.executeQueryAsync(onQuerySucceeded, onQueryFailed);


function onQuerySucceeded()
{
alert(‘success’);
}
function onQueryFailed()
{
alert(‘Request failed.’);
}
}
}



var i;
var l;
var a1;
var user;
var spGroup;
function AddUserFromExcel()
{
l=1;
var Excel;
Excel = new ActiveXObject(“Excel.Application”);
Excel.Visible = false;
for(l=1;l<3;l++)
{
a1=Excel.Workbooks.Open(“http://mantososp/SiteAssets/Users.xlsx?Web=1”).ActiveSheet.Cells(l,1).Value;
var a4=”Domain\\”+a1;
var clientContext = new SP.ClientContext.get_current();
var web=clientContext.get_web();
var siteGroups = clientContext.get_web().get_siteGroups();
spGroup=siteGroups.getById(4990);
user=web.ensureUser(a4);
var userCollection=spGroup.get_users();
userCollection.addUser(user);
clientContext.load(user);
clientContext.load(spGroup);
clientContext.executeQueryAsync(onQuerySucceeded, onQueryFailed);


function onQuerySucceeded()
{
alert(‘success’);
}
function onQueryFailed()
{
alert(‘Request failed.’);
}
}
}