Do I remove old AD accounts

Pio Egan 1 Reputation point
2022-01-05T16:48:52.137+00:00

Multiple applications use the AD used-id or email address to verify the user within the application. We need to keep the application for 30+ years. AD accounts get removed after 30 days. When someone gets hired that is the same user-id as an old employee there is a conflict within the application. The new employee is not the actual person referenced in the application.

Issues.

1/ I don't want to keep old AD accounts anywhere on AD, even in a separate OU.

2/ I don't want to add a number to a new AD account in case there is a conflict.

Would the best practice be to change the unique identifier within the application to something other then the user-id?
Is this an issue in a lot of places?

Surely there is a best practice?

Thoughts?

Thanks.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 27,221 Reputation points Microsoft Employee Moderator
    2022-01-05T23:17:09.693+00:00

    Hi @Pio Egan , if I understand your question correctly there are a few ways you can do this. The first is PowerShell. This will remove the users based on your query. You can also do this manually in the portal.

    Based on how you add users, you could check if the user-id already exists, and then delete the old one if so (using custom policies and PowerShell). If needed you can check for other user attributes as well.

    If I misunderstood your question please let me know and I can help you further. If this answer helped you please mark it as "Verified" so other users may reference it.

    Thank you,
    James

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.