3 thoughts on “Offboard users with Azure AD Lifecycle Workflows: All you need to know!

  1. Nathan Hutchinson says:

    Hi Pim, thanks for a great beautifully written article. I have a few questions though if you don’t mind?

    Firstly, you mention the use of a service account ‘with permissions’ – I assume you mean a local AD account but what are the minimum permissions required for this to work?

    Secondly, it looks like ‘run as account’ is being deprecated in favour of managed identities, would you be willing to update your article to use those instead?

    Thanks again for a great write up!



    1. Pim Jacobs says:

      Hi Nathan,

      The answer on the first question is indeed a local AD account, the minimum permissions for that account for the offboard flow is at least modify and delete permissions. For both the onboarding and offboarding flows I’ve delegated control on OU level with the following tasks:
      – Create, delete, and manage user accounts (required to change the account settings and delete the account eventually).
      – Reset user passwords and force password change at next logon (Required to enable the account).
      – Read all user information (required to read settings from the account).

      The answer on your second question is, I’m already using managed identities, so I’m not using a ‘run as account’, all is based on managed identities apart from the integration with AD as mentioned in your first question which doesn’t support a managed identity.

      Hope the above answer your questions, happy to answer more if needed.

      Liked by 1 person

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s