Use workflow script to modify Azure attribute of removed member (disabling)

To add a bit to Richard.Lambert 's comments,  assuming the Cloud object is also being managed by Active Roles, you can force an immediate disable of the Azure object by setting the property  edsaAzureUserAccountEnabled of the associated on premises object to FALSE.

This could be done using an Update Activity in a workflow or directly using Powershell like this:

Set-QADUser -proxy -identity $MyOnPremObjectDN -AzureUserAccountEnabled $False

Good morning

Thanks for your answers.

As they are not synched thanks to ARS synch tool but by the default Ms one (don't ask me why but it is like this), edsaAzureUserAccountEnabled is not usable or i don't see how it can be updated

this is why i would like to use ARS workflow that i have created (removed member of a group) to insert a script to disable the azure account associated to this removed member. inside the workflow "Remove member from group",
step 1 => disable on premise member [Done and works perfectly]
Step 2 => script to disabling Azure account (Synched by MS AAD synch tool)
My question is:                 how i can retrieve the UPN of this removed member and use it in the script?

Good morning

Thanks for your answers.

As they are not synched thanks to ARS synch tool but by the default Ms one (don't ask me why but it is like this), edsaAzureUserAccountEnabled is not usable or i don't see how it can be updated

this is why i would like to use ARS workflow that i have created (removed member of a group) to insert a script to disable the azure account associated to this removed member. inside the workflow "Remove member from group",
step 1 => disable on premise member [Done and works perfectly]
Step 2 => script to disabling Azure account (Synched by MS AAD synch tool)
My question is:                 how i can retrieve the UPN of this removed member and use it in the script?

Ah OK - I would create a Change Workflow that detects the disabling of the on-premise user.

For the start condition, you want to detect where edsaUserEnabled is FALSE from Requested Changes

(In the start conditions for the workflow, you may also want to select which OU's to "watch" in case you don't want the workflow to react to ALL account disables)


Attribute change trigger

Selection of changed attribute in transaction

Full workflow start condition including sample OU filter

Here's a snippet of code to determine UPN of the user being disabled:

(You can just add the additional code to disable the Azure user.  Then add this as a script module (Policy Script type) into Active Roles and reference it in a Script Activity that is added to the above mentioned Change Workflow)

Function TrapDisableAndDisableAzureUser ($Request)
{

# $DirObj gives you access to the Active Roles in-process AD user object

$DisabledUserUPN = $DirObj.get("userprincipalname")

# Add code below to disable this user in Azure

}

Correction to attribute name above - should be edsaAccountIsDisabled is TRUE (this is reflected in the linked screen caps)

thanks for this solution. it works perfectly...