I’ve not found a way to do this. I have the scenario you mentioned plus we control SSO to SAAS applications as well.
For common all employee groups, I’ve switched to using <Company Name> Employees, <Company Name> Contractors, <Company Name> Guests. The Employees and Contractors are assigned groups then the Guest is a dynamic group for all guest accounts. Then a MS Teams site or Yammer site or saas application like FreshService I setup with dynamic groups in AD.
So, if you are new during the onboarding workflow I add you to either the Employees or Contractors group. There are several other dynamic security or office groups that see that and automatically add you. Then on offboarding I remove you from the Employees group and put you in an Offboard group. This automatically unassigns you from all those groups since you are no longer in the Employees group and fall outside of the dynamic rule set.
The issue becomes there are some groups for a business run application, that I could automatically remove your from all groups but the business owner needs to know we are removing you from that group so they can go into their SAAS application and do whatever offboarding process in the actual application. By automatically removing you from all the groups we would lose track of what you had access to.
Given there is no way to classify or filter the groups that are returned by your userIDI just stick with the basic dynamic and employee group method for key things. I’ve yet found an easy way to create a massive if then loop based on the return of groups to say, yep these we can just remove you from, those I need to look up a custom object to see which business owner is responsible for that application then send then an email to tell them they need to take some action, then remove or wait for their approval to remove you from the security group, etc.
On top of this I’ve not found a way to remove you from distribution groups, applications or azure roles you may have been assigned. So given a lot of this is manual AD work during offboarding we just create several tasks that tells IT to go do XYZ, check for these things, manually notify the business owner if you see these groups, etc.
At times, glad beyond all get out that we are a small organization with limited growth.
Hope that helps
Thanks Patrick,
We have a similar setup in terms of AAD dynamic groups, but we take it from the account status. If the account is disabled then remove from the groups. Accounts are automatically provisioned from our HRIS system, if its active in the HR system then its active in AAD.
We’ve managed to work around this now, but using the directorysyncenabled attribute, if this is present then we send the workflow to the on-prem AD connector and remove from local groups. It actually works really well.
I hoping FS will improve the email functionality for us to be able to auto trigger the off board based on variables from an email.