Share via

Steps and the procedures for Offboarding Users in Hybrid AD & Exchange Server-office 365 environment?

EnterpriseArchitect 6,041 Reputation points
2021-06-02T14:51:53.343+00:00

Hi everyone,

Using Hybrid Exchange Server 2016 + AD OnPremise syncing with Azure AD.
All OUs are synched to Azure AD, except the DISABLED AD ACCOUNTS OU.

I need some clarification as to how can I automatically de-allocate Microsoft 365 licenses when offboarding the user.

  1. Does moving the AD user account to the non-synched OU can automatically de-allocate the existing license of the users? or it will still be retained for x amount of days.
  2. Does disabling the AD user account without moving to the DISABLED AD ACCOUNTS OU can also de-allocate the licenses of the users? or it will still be retained for x amount of days.

Thanks in advance.

Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,307 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
25,071 questions
Accepted answer
  1. Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator
    2021-06-03T12:45:01.917+00:00

    OK, I understand your question now.
    Yes to both:

    1. Yes, it does make sense. If the account is not removed or still in the Recycle Bin, then the license is still assigned.
    2. I assume that when remove the account from Synced OU, then the account will be in the state like number #1 above?

    Even the account is not in Azure, its in the deleted items "bin" for 30 days and recoverable and the license is still assigned.

    So you can
    1: remove the licesnse before deleting

    1. Purge the account completely before the 30 days expires in the bin ( Be careful doing this because then its really gone)

    You can do this via the portal or powershell to purge:
    Remove-MsolUser -UserPrincipalName <user> -RemoveFromRecycleBin

    2 people found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. KyleXu-MSFT 26,396 Reputation points
    2021-06-03T06:40:14.433+00:00

    @EnterpriseArchitect

    If you move AD account from synced OU to unsynced OU, the account's AAD account will become deleted users and licenses will be released.

    If you disable AD account, licenses will still exist on this AAD account. The only effect is this user login function will be blocked:
    101994-qa-kyle-14-09-53.png

    If you move this disabled AD account to unsynced OU, it will same as scenario one.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    3 people found this answer helpful.
    0 comments
  2. Andy David - MVP 157.4K Reputation points MVP Volunteer Moderator
    2021-06-02T15:44:18.987+00:00
    1. If the account is removed from Azure, the license is removed as well.
    2. Disabling the AD user account has no effect on the 365 License. You either need to remove it from the account manually or remove the account from the sync.
    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.