Unlicensed Microsoft 365 accounts provisioned by RM Unify remain in their role specific security group
Published Date : 20 Apr 2018
Last Updated : 16 Apr 2024
Content Ref: TEC6097040
Operating System
(none)
Part No
(none)
Summary
Details the expected behaviour in Microsoft 365 when a federated RM Unify account is deleted.
Symptoms
You have federated Microsoft® 365™ to RM Unify. Your RM Unify users are put into Microsoft 365 security groups based on their RM Unify role, e.g. Students, Teaching Staff etc.
When an RM Unify account is first deleted, we first remove the Microsoft 365 licence assigned to that user. The user's Microsoft 365 account remains and therefore the account also remains as a member of the relevant Microsoft 365 security group.
If an RM Unify account remains deleted for nine months or longer, we send a housekeeping task to Microsoft 365 to delete the user account. At this point, the account will be removed from all Microsoft 365 security groups it was a member of. Further details of our data retention policy can be found here.
Cause
Deleting an unlicensed Microsoft 365 account will remove it from any Microsoft 365 groups it is a member of. RM Unify-federated Microsoft 365 accounts are automatically deleted if the RM Unify account remains deleted for nine months or longer. The deletion of unlicensed RM Unify-federated Microsoft 365 accounts prior to this nine months period is the responsibility of the Microsoft 365 administrator.
Requirements
If you intend to use the Windows® PowerShell® commands in this article, here are the requirements:
Your tenancy domain name (which usually ends in .onmicrosoft.com). This is the site you originally created in Microsoft 365, before adding your school domain and can be found under the Domains section in your 'Microsoft 365 admin center'.
From the Groups menu (left-hand side), select Groups.
From the View drop-down menu, select 'Security group'.
In the Members section of the next window, click Edit and click the X icon for each user you wish to remove from the group.
When you have finished, click Save and then Close.
Use PowerShell to remove numbers of unlicensed users from a Microsoft 365 security group
When RM Unify provisions users into Microsoft 365, it will populate the 'Job title' field with the RM Unify role appropriate to that user. RM Unify also provisions security groups for each RM Unify role, populating the Description field of that group. Note: The following example PowerShell script will remove all unlicensed users from the specified group. The script uses the user's 'Job title' field and the group's Description field in Microsoft 365. If these have been altered from the RM Unify supported defaults, then you will need to adjust the script accordingly.
Open PowerShell, type Connect-MsolService and connect to your tenancy using your Microsoft 365 global administrator account.
Find the Microsoft 365 security group that you wish to clear of unlicensed users. Make a note of its Description. In the following example, we will remove unlicensed Student users from the Students (1234567) security group in the SchoolA.com domain.
foreach($member in $members){ Remove-MsolGroupMember -GroupObjectId $securityGroup.ObjectId -GroupMemberType User -Groupmemberobjectid $member.ObjectId }
Repeat steps 2 and 3 for any additional users and groups.
The script will display errors for any users that were not members of the chosen security group. This is expected: "Remove-MsolGroupMember : The member you are trying to delete is not in this group".
If this article has not helped provide a solution then it is also possible to
log a call...
Document Keywords: o365, delete user, remove user o365, TEC6097040, m365