Solved

Azure/intune groups not removed during offboarding workflow.

  • 22 February 2022
  • 3 replies
  • 156 views

Userlevel 2
Badge +1

We’ve got an offboarding workflow with the Azure AD and Gsuite Orch apps. The workflow among other things is supposed to remove the user from groups in Azure, but it doesn’twork. When onboarding a user the user is added to the groups, but not removed during offboarding. Is there different permissions needed in Azure for adding users to groups and removing them??

 

What we use is the App Action: “Get Group Membership Of User By Username” followed by “Remove User from Groups by User ID”. 

 

 

 

icon

Best answer by zachary.king 24 February 2022, 16:11

View original

3 replies

Userlevel 7
Badge +16

Hello @Matt H, have you tried using the “Test Webhook” function inside the action block with a current user ID that you know is in a group instead of using placeholders, simply to test and see if it functions with data you know to be accurate? If so, did you get an error response from Azure? That error might help troubleshoot where the failure is happening (either with the freshservice integration or on Azure’s side). Just a thought, hope it helps.

Userlevel 2
Badge +1

Hello @Matt H, have you tried using the “Test Webhook” function inside the action block with a current user ID that you know is in a group instead of using placeholders, simply to test and see if it functions with data you know to be accurate? If so, did you get an error response from Azure? That error might help troubleshoot where the failure is happening (either with the freshservice integration or on Azure’s side). Just a thought, hope it helps.

Seem to be some permissions or privileges missing: 

“Insufficient privileges to complete the operation.”
Userlevel 7
Badge +16

Hello @Matt H I tested this from my instance and did not experience any issues with obtaining the user’s group IDs and removing them from that group. My guess is, with the error you are seeing, that you may need to adjust the configuration you are using for Azure AD Orchestration application. Perhaps the clientID or key that you have entered are not allocated the read/write permissions that you need for these operations. Checking the permissions that have been granted for this application in Azure should get you in the right direction.

Reply