Hi,
We're currently working on our user deprovisioning processes and have an issue I am hoping someone can help us with.
We are currently in a hybrid model (on premise AD synced to Azure using AD Connect).
The issue we face is that when a user leaves and gets deprovisioned, we need to remove them from all cloud groups.
I know ARS can remove from on-premise groups and then AD Connect syncs the changes but that doesn't help for users added directly to AD Groups.
The problem with a PowerShell script is that if we run get-azureadgroupmembership it includes synced objects from on-premise so its not easy for them to be removed, does anyone have any ideas how we can handle this better?
Equally is there anywhere in ARS that records what AAD groups the user is a member of so if we need to undo a deprovision we can add the user back into the AAD groups easily?
TIA.