RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

RM Unify and data retention - how we manage users deleted from RM Unify
Published Date : 06 Oct 2017   Last Updated : 28 Nov 2019   Content Ref: TEC5900881  


Under principal 5 of the Data Protection Act, schools need to ensure that cloud service providers retain personal data no longer than is necessary for the purpose they obtained it and this obligation continues to be important under GDPR.

One of the key benefits of RM Unify automating your user management is that it helps you keep cloud services in sync as users leave your institution. This ensures that cloud service providers know that they can now clear up the data of staff and students that have left. 

This article provides further information on how we manage deleted users in RM Unify and connected third party apps.


 When a user is deleted from your RM Unify establishment, we do the following:

  • In RM Unify - delete the user so that no further user updates occur.
  • In Microsoft® Office 365 - unlicense the user.
  • In G Suite - suspend the user.
  • Tell all third party apps with auto-provisioning that the user has been deleted.

If an RM Unify user remains deleted for nine months or longer, we will run a housekeeping task. This will:

  • In RM Unify - remove all data that RM Unify holds pertaining to the user.
  • In Office 365 - delete accounts that were linked to the RM Unify user, including user accounts with a shared mailbox. Once deleted, the standard Office 365 deleted user settings apply to the account, i.e. the account is permanently removed from Office 365 after 30 days.
  • In G Suite - delete accounts that were linked to the RM Unify user. Once deleted, the standard G Suite deleted user settings apply to the account, i.e. the account is permanently removed from G Suite after 20 days. Google may change the restoration period of a deleted user and their data. Please check current settings here

We believe that nine months is long enough to ensure that the person is not returning to your institution and gives you sufficient time to recover any Office 365 or G Suite files that you need. You can, however, choose to prevent a particular Office 365 and G Suite account from being deleted by the housekeeping task. For more information, see the relevant sections below.

Note: Third party apps are responsible for their own data retention policies and conformance with GPDR. For more information, please contact the cloud app vendor.


How to prevent an Office 365 account from being deleted by the housekeeping task

Excluding an Office 365 account from deletion is a two-step process. This process must be followed, irrespective of whether the account(s) are assigned any type of additional licence intended to archive or retain the Office 365 account:

  1. Move the account to your onmicrosoft.com domain, using the steps for appropriate to the type of mailbox the user account has.
  2. Remove the ImmutableID from the account.

Both the steps must be completed to prevent deletion. To complete the steps, you will need the following:

 To move the account (with a regular mailbox) to the onmicrosoft.com domain

  1. Sign into the 'Office 365 admin centre' as a global administrator user.
  2. Click Users.
  3. Select the user account to be excluded.
  4. In Aliases, type an alias prefixed with Archive or something similar and select your onmicrosoft.com domain, e.g. SchoolA.onmicrosoft.com.
  5. Click Add. You will now have a new alias, e.g. Archive-JSmith@SchoolA.onmicrosoft.com.
  6. Next to the new alias, click 'Set as primary'. A window will appear to warn about changing the user's sign-in information.
  7. Click Save and Close.

The user's old account name will be retained as an alias. This will prevent the old email address being used to create a new account for any future user. To release the email address to be used in the future, select the user again and select to delete the alias email address. 

To move the account (with a shared mailbox) to the onmicrosoft.com domain

  1. Sign into the 'Office 365 admin centre' as a global administrator user.
  2. Click Users.
  3. Select the user account to be excluded.
  4. Click Manage username and select your onmicrosoft.com domain eg. SchoolA.onmicrosoft.com.
  5. Click Save changes.
  6. From Admin Centers, click Exchange.
  7. Under recipients, click shared and select the shared mailbox.
  8. Click the email address and highlight the lower case smtp entry with the email address of the federated domain, e.g. SchoolA.domain.com.
  9. Click Edit and tick 'Make this the reply address'.
  10. Click OK, Save.
  11. You have now moved the shared mailbox to the onmicrosoft.com domain but retained its existing email reply address.

 To remove the ImmutableID from the account

  1. On a computer with an Internet connection, open PowerShell.
  2. Type Import-Module msonline and press Enter.
  3. Next, type Connect-MsolService and press Enter.
  4. Enter your Office 365 credentials when prompted.
  5. Type Set-MSOLUser -UserPrincipalName <Archive-JSmith@SchoolA.onmicrosoft.com> -ImmutableID "$null", where Archive-JSmith@SchoolA.onmicrosoft.com is the email address you set as primary in step 5 above.

If you want the user with a regular mailbox to be able to sign into Office 365, then reset their password in Office 365 and ask them to sign in directly via portal.office.com, using their new username and password.

How to prevent a G Suite user from being deleted by the housekeeping task

  1. Sign into G Suite as a user with the super admin role.
  2. From admin console, click Users.
  3. Select the user to rename.
  4. Click the three ellipses on the top right-hand corner of the user's details page.
  5. Click Rename.
  6. In primary email address, prefix the name with Archive or similar, e.g. Archive-JSmith@SchoolA.com.
  7. Click Rename User.

More Information

Free licences for Office 365 are provided to eligible (verified) educational establishments in the UK by Microsoft. To be eligible, students need to be matriculated (enrolled) at the establishment and staff must be employed at the establishment. Once a user leaves the educational establishment, they may no longer be eligible for those free licences.

Please contact Google directly with any questions about your establishment's eligibility for free educational licences. For more info: https://support.google.com/a/answer/134628.

Other Useful Articles

RM Unify and GDPR (TEC6229201)

Did the information in this article help answer your question?
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.

If this article has not helped provide a solution then it is also possible to log a call...

Document Keywords: gdpr, dpa, unlicensed,

Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer

Top Of PageTop of page