RM Logo
Technical Rating: 
Support Home PageSupport
Print This PagePrint This Page
Add to 'My Library' Add to 'My Library'

RM Unify and data retention - how we manage users deleted from RM Unify
Published Date : 06 Oct 2017   Last Updated : 11 Sep 2024   Content Ref: TEC5900881  





Symptoms

Under principal 5 of the Data Protection Act, schools need to ensure that cloud service providers retain personal data no longer than is necessary for the purpose they obtained it and this obligation continues to be important under GDPR.

One of the key benefits of RM Unify automating your user management is that it helps you keep cloud services in sync as users leave your institution. This ensures that cloud service providers know that they can now clear up the data of staff and students that have left. 

This article provides further information on how we manage deleted users in RM Unify and connected third-party apps.



Cause

When a user is deleted from your RM Unify establishment, the following will happen:

  • In RM Unify - delete the user so that no further user updates occur.
  • In Microsoft® 365 (M365) - unlicense the user (unless you have chosen to opt-out of RM Unify-controlled M365 licensing).
  • In Google Workspace - suspend the user.
  • Tell all third-party apps with auto-provisioning that the user has been deleted.

If an RM Unify user remains deleted for nine months or longer, we will run an automatic housekeeping task which will:

  • In RM Unify - remove all data that RM Unify holds pertaining to the user.
  • In Microsoft 365 - delete accounts that were linked to the RM Unify user, including user accounts converted to have a shared mailbox. Once deleted, the standard M365 deleted user settings apply to the account, i.e. the account is permanently removed from M365 after 30 days.
  • In Google Workspace - delete accounts that were linked to the RM Unify user. Once deleted, the standard Google Workspace deleted user settings apply to the account, i.e. the account is permanently removed from Google Workspace after 20 days. Google may change the restoration period of a deleted user and their data. Please check current settings here

We believe that nine months is long enough to ensure that the person is not returning to your institution and gives you sufficient time to recover any Microsoft 365 or Google Workspace files that you need. You can, however, choose to prevent a particular Microsoft 365 and Google Workspace account from being deleted by the housekeeping task. For more information, see the relevant sections below.

Note: Third party apps are responsible for their own data retention policies and conformance with GPDR. For more information, please contact the cloud app vendor.



Procedure

How to prevent a Microsoft 365 account from being deleted by the housekeeping task

Excluding a Microsoft 365 account from deletion is a two-step process. This process must be followed, irrespective of whether the account(s) are assigned any type of additional licence intended to archive or retain the Microsoft 365 account:

  1. Move the account to your onmicrosoft.com domain, using the steps for appropriate to the type of mailbox the user account has.
  2. Remove the ImmutableID from the account.

Both the steps must be completed to prevent deletion. To complete the steps, you will need the following:

 To move the account (with a regular mailbox) to the onmicrosoft.com domain

  1. Sign into the 'Microsoft 365 admin centre' as a global administrator user.
  2. Click Users.
  3. Select the user account to be excluded.
  4. In Aliases, type an alias prefixed with Archive or something similar and select your onmicrosoft.com domain, e.g. SchoolA.onmicrosoft.com.
  5. Click Add. You will now have a new alias, e.g. Archive-JSmith@SchoolA.onmicrosoft.com.
  6. Next to the new alias, click 'Set as primary'. A window will appear to warn about changing the user's sign-in information.
  7. Click Save and Close.

The user's old account name will be retained as an alias. This will prevent the old email address being used to create a new account for any future user. To release the email address to be used in the future, select the user again and select to delete the alias email address. 

To move the account (with a shared mailbox) to the onmicrosoft.com domain

  1. Sign into the 'Microsoft 365 admin centre' as a global administrator user.
  2. Click Users.
  3. Select the user account to be excluded.
  4. Click Manage username and select your onmicrosoft.com domain e.g. SchoolA.onmicrosoft.com.
  5. Click Save changes.
  6. From Admin Centers, click Exchange.
  7. Under recipients, click shared and select the shared mailbox.
  8. Click the email address and highlight the lower case smtp entry with the email address of the federated domain, e.g. SchoolA.domain.com.
  9. Click Edit and tick 'Make this the reply address'.
  10. Click OK, Save.
  11. You have now moved the shared mailbox to the onmicrosoft.com domain but retained its existing email reply address.

 To remove the ImmutableID from the account

  1. On a computer with an Internet connection, open PowerShell.
  2. Type Import-Module msonline and press Enter.
  3. Next, type Connect-MsolService and press Enter.
  4. Enter your Microsoft 365 credentials when prompted.
  5. Type Set-MSOLUser -UserPrincipalName <Archive-JSmith@SchoolA.onmicrosoft.com> -ImmutableID "$null", where Archive-JSmith@SchoolA.onmicrosoft.com is the email address you set as primary in step 5 above.

If you want the user with a regular mailbox to be able to sign into Microsoft 365, then reset their password in Microsoft 365 and ask them to sign in directly via portal.office.com, using their new username and password.


How to prevent a Google Workspace user from being deleted by the housekeeping task

There are two options, depending on whether you want to keep or rename the Google Workspace account's email address:

Option 1: Keep the current Google Workspace email address

  1. Sign into RM Unify as a super admin.
  2. Click Management Console, Users.
  3. In the View filter, select 'Deleted users'.
  4. Click OK.
  5. Select the user and from the Actions menu, select 'Hard delete user'.
  6. Wait a few minutes to allow the RM Unify hard delete request to complete and the user to no longer show in the 'Deleted users' view.
  7. Sign into Google Workspace as a user with the super admin role.
  8. From the admin console, click Users.
  9. Click 'Add a filter' and select 'Recently deleted'.
  10. Find the user and click Recover.
  11. Select the organisational unit you want to recover the user to and click Recover.

Option 2: Rename the Google Workspace email address

  1. Sign into Google Workspace as a user with the super admin role.
  2. From the admin console, click Users.
  3. Select the user to rename.
  4. Click the three ellipses on the top right-hand corner of the user's details page.
  5. Click Rename.
  6. In primary email address, prefix the name with Archive or similar, e.g. Archive-JSmith@SchoolA.com.
  7. Click Rename User.


Possible Issues

Why are the hard deletes of users not recorded in User Audit?
The hard delete of a user and their data should be absolute and we should hold no further record of the user if there is no justifiable reason to. For this reason, we do not log the RM Unify username of a hard-deleted account in the User Audit section of the RM Unify Management Console.


More Information

Free licences for Microsoft 365 are provided to eligible (verified) educational establishments in the UK by Microsoft. To be eligible, students need to be matriculated (enroled) at the establishment and staff must be employed at the establishment. Once a user leaves the educational establishment, they may no longer be eligible for those free licences.

Please contact Google directly with any questions about your establishment's eligibility for free educational licences. For more info, please visit https://support.google.com/a/answer/134628.



Other Useful Articles

RM Unify and GDPR (TEC6229201)
"Sorry but an unexpected error occurred" error message in the 'Deleted users' view of the RM Unify Management Console (TEC9337182)

FEEDBACK
Did the information in this article help answer your question?
 Yes
 No
Please add any comments about this article in the box below. If you answered No then it is important you tell us why so that we can change the article if required. We can only respond if you log in to the RM Support website or provide your contact details. Note: If you need help with a technical query, please log a call online or telephone our support team.
Thank you for your feedback, which is sent directly to the RM Knowledge team. We address every message received with the intention of improving our Knowledge Library articles. If you have an unresolved technical issue, please contact RM Support.


If this article has not helped provide a solution then it is also possible to log a call...



Document Keywords: gdpr, dpa, unlicensed, hard delete, hard delete, soft delete, TEC5900881, SSO, google sso, redirect, sso profile,


Please read - important disclaimer information.
http://www.rm.com/_RMVirtual/Includes/csredirect.asp?cref=&title=Standard Content Disclaimer


Top Of PageTop of page