Please use this WI to offboard an Adstra employee. This process is initiated once HR or Management submits an M365 Termination Form. Details on the automated process below:

• M365 Form Management

• HR and Adstra Management can submit offboarding requests by using this form User Termination Form

• Located under HR and IT TAR M365 Team > Forms > User Termination Notification

• IMPORTANT: Internal use only DO NOT share with HR or Adstra Management! If a form needs to be updated or troubleshooting needs to occur the editable form can be reached here: Editable User Termination Form

• M365 Powerautomate Flow Management

• Uses the centrexit.ops@adstradata.com account for connection flows (1Password > Websites > M365 CentrexIT Ops Account

• Termination Flow location: Adstra M365 (centrexit.ops) > Power Automate > My Flows > Shared with me > Termination Notification Flow

---

• Service Delivery

• Customer Satisfaction

---

• Service Delivery

• vITM

---

• IMPORTANT: Adstra Stage One: Steps 1-13

• IMPORTANT: Adstra Stage Two: Steps 14- End

---

• Halo Ticket

• Entry in Adstra’s M365 Form Responses:

• https://forms.office.com/Pages/ResponsePage.aspx?id=fqaEMWJL70aswQ17D_Ex1okARYfppj9No2CpXmzlpS9UQ0tKTlg1NUQ2QVA2U1VWSEtZWUMwOTZCUiQlQCN0PWcu

---

• 1Password > Domain\Service Accounts > Terminated Employee’s AD Password

---

1. Connect to CL-DC01 or ADSTRA-DC2 via ScreenConnect / NCentral.

2. Start with Active Directory (AD), locate the terminated user by right clicking the domain and selecting find

• 
  
  

3. Search for the user, then right click their name, hit reset password. Reset the password using the “Terminated Employee’s AD Password” from 1Password > Domain\Service Accounts

• 
  
  

4. Once reset, double click the user’s name, then go to the Account tab. Under account options, check the “Account is Disabled” selection. Hit Apply, followed by OK to close out of the users AD Profile.

• 
  
  

5. Run ADSync via Powershell as administrator. Follow KB00003642 to run from Adstra DC

• To run the ADSync through “ADVM-AAD” VM via ScreenConnect / NCentral

• Open Powershell as an Admin

• Run the following commands:

• Import-Module ADSync

• Start-ADSyncSyncCycle -PolicyType Delta

• NOTE: If you get an error that a sync is already running wait 10-15minutes

6. Log onto Portal.office.com with the M365 Global Admin (GA) Account provided in 1Password (Review Requirements Section)
7. Then navigate to the Admin console.
8. Navigate to Users > Active Users then search for the terminated user.

• 
  
  

9. From the user’s profile, reset the password using the Terminated Employee’s AD Password in 1Password (reference Requirements Section) and select Block sign-in (if sync hasn’t already set to block)

• 
  
  

10. Under the Mail tab, ensure any requested automatic replies, forwards, and delegations have been granted on this terminated user’s mailbox based on the User Offboarding Request.

• 
  
  

11. Under the Mail tab, ensure any requested automatic replies, forwards, and delegations have been granted on this terminated user’s mailbox based on the User Offboarding Request.

12. IMPORTANT: Verify terminated user does not have a Belardi Wong Active Directory & M365 Account (reference KB00003626)

13. Schedule time to perform Stage Two below

14. STAGE TWO START: Connect to CL-DC01 or ADSTRA-DC2 via ScreenConnect / NCentral.

15. Open Active Directory (AD) and locate your user from their respected OU. (alc.com > location > users)

16. Under the Account tab, verify the user’s account is still checked as “Account is disabled.”

17. Go to the Organization tab, then under the Manager field, hit Clear, then Apply to save.

• 
  
  

18. Next, go to the Member Of tab, select all security groups and hit Remove (Remember to record each group within the offboarding ticket). Hit Apply once complete. Example below:

• 
  
  

19. Next, go to the Attribute Editor tab, start with searching for mailNickname and verifying it is updated to the username of the terminated account. If not, update to username.

• 
  
  

20. Next, search for msExchHideFromAddressLists then set the value to True. Hit OK, Apply, then OK again to close out of the user’s AD Profile.

• 
  
  

21. Right-click the Name of your Terminated User, then select Move.

• 
  
  

22. Relocate the User’s profile to the applicable OU

• Adstra:

• alc.com > Disabled ALC Users

• Belardi Wong

• alc.com > Disabled Belardi Wong Users

23. Hit OK once complete.

• 
  
  

24. Run ADSync via Powershell as administrator. Follow KB00003642 to run from Adstra DC

• To run the ADSync through “ADVM-AAD” VM via ScreenConnect / NCentral

• Open Powershell as an Admin

• Run the following commands:

• Import-Module ADSync

• Start-ADSyncSyncCycle -PolicyType Delta

• NOTE: If you get an error that a sync is already running wait 10-15minutes

25. Log onto Portal.office.com with the M365 Global Admin (GA) Account provided in 1Password (Review Requirements Section)
26. On the left-hand side of the page, navigate to the Azure Portal.

• 
  
  

27. From the Azure portal, go to the Users tab on the left-hand side, then search and select the terminated User.

• 
  
  

28. From the User’s page, select Authentication Methods on the left-hand side. Verify all contact information is removed and recorded in the offboarding ticket.

• 
  
  

29. Select the 3 dots at the top, then select Revoke MFA Sessions. Hit Save once complete.

• 
  
  

30. Navigate to the Groups tab on the left-hand side. Then check all groups (record them all in the ticket) and Remove Memberships. Close out of the Azure portal once complete.

• 
  
  

31. Once back to the Admin page, select Exchange on the left-hand side.
32. Under Recipients > Mailboxes search for the terminated user. Select the user, hit the 3 dots close to the search bar, and then hit Convert to shared mailbox. Confirm conversion.

• 
  
  

33. Refresh the page and relocate the user. Under the General tab, verify user is hidden from the GAL. (This is managed within AD, simply verifying 365 updated properly)

• 
  
  

34. Next, confirm mailbox access under the Delegation tab based on the Offboarding Request/Ticket.

• 
  
  

35. Under the Mailbox tab, or the Email Forwarding option, confirm email forwarding based on the offboarding request/ticket. Return to the Admin Portal once completed.

• 
  
  

36. Refresh the Admin Portal, then search for the terminated user through Users > Active Users.
37. Under the Licenses and apps tab, remove all licenses attached to the user. Make sure to hit Save Changes
38. IMPORTANT: Client Managed PBA Removals

• If software removal is provided on the offboarding request reference KB00002035 to contact the appropriate PBA Owner to recover requested license.
  
  

39. DUO Account Removal: On a web browser, log into https://admin-e7946d67.duosecurity.com/ credentials in 1Password (Reference Requirements Section)
40. Select Users on the left-hand side, then search for your terminated user.

• 
  
  

41. Under the Status field, select Disabled, then scroll down and hit Save Changes.

• 
  
  

• 
  
  

42. Zoom Account Removal: On a web browser, sign into https://zoom.us/signin credentials in 1Password (Review Requirements section).

43. Under User Management > Users search for your terminated user. Once found, hit the edit option, and remove their license (if they have one/swap to basic). Hit Save once complete. -
    
    -
    
    

44. Adobe: On a web browser, sign into Admin Console (adobe.com) credentials in 1Password (Review Requirements section)

45. Go to Users > [Search Name] > [Select Name] > … > Edit > Delete > Save

• 
  
  

• 
  
  

• 
  
  

• 
  
  

46. For the equipment return, start by checking the warranty status of the device via NCentral.

• 
  
  

47. IMPORTANT: Provide Sara Jones (Sara.Jones@adstradata.com) the following information in the ticket. Most of this information can be derived from NCentral (search by username) but you can ask the vITM for assistance as well! Contact number and Personal Email should come in via the termination request.

• Best Contact Number:

• Mailing Address:

• Personal Email Address:

• Warranty Status:

• Serial Number:

• Asset tag:

• Package value: $100

• Package weight:

• Package Dimensions:

• Contains a battery, e.g. laptop w/ lithium ion battery: Yes

48. Update the information above in the closing public side of the ticket, verify Sara Jones is added to the ticket.