Employee offboarding Puns

Looking for some insight into how others work with their HR departments to create a seamless user onboarding/offboarding/change management process. In my opinion, HR is the conduit that all employee information should flow through—they are an ally to IT. With that said, we use a robust HCM platform (UltiPro) that I feel should be capable of handling IT employee request forms, offboarding forms, and change request forms. However, we are not currently utilizing it for these purposes. To that point, we as an IT department do not have access to the HCM to explore options for creating processes surrounding the aforementioned. I would think the platform should be capable of creating some type of workflow when an employee is hired to create tasks (or something along the line) for the hiring manager to complete, one being the new hire IT request form. As well as the opposite, for when an employee is terminated or a name/title changes.

Currently, when an employee is hired, IT is left somewhat in the dark. The hiring manager is not provided with a form for IT to create accounts and assign hardware, applications, etc. They often come to us and we direct them to a form on a file share that needs filled out and sent to HR, which HR then signs off and scans to our helpdesk email.

My question is, do you as an IT employee use your companies HCM to create these processes within? If not, how do you work with your HR department to make sure a seamless process is in place for all onboarding, offboarding and change management?

Edit: If possible, try not to use shorthand or aliases, I'm still new.

I have a report where I can do see old employees consent to application. I have a backlog I need to remove and want to script this into my term script. I need to do this manually/in script for other process reasons. I know I can do this temporarily/slowly through AzureAD gui.

We recently changed our consent requirements to required admin approval, so that will help a lot on the security front.

I found this page: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal

With this code:

# Store the proper parameters
$user = get-azureaduser -ObjectId <objectId>
$spo = Get-AzureADServicePrincipal -ObjectId <objectId>

#Get the ID of role assignment 
$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId | Where {$_.PrincipalDisplayName -eq $user.DisplayName}

#if you run the following, it will show you what is assigned what
$assignments | Select *

#To remove the App role assignment run the following command.
Remove-AzureADServiceAppRoleAssignment -ObjectId $spo.ObjectId -AppRoleAssignmentId $assignments[assignment #].ObjectId

The problem I need to query all apps for which 1(or list) of users consented.

I stopped at line 2, as this looks to reference a specific App, not all apps.

$user = get-azureaduser -ObjectId <objectId>

#requests objectID of a specific app.
$spo = Get-AzureADServicePrincipal -ObjectId <objectId>

The issue is I can't find a way to query which apps the user is a part of. Or if I am unable to break down

I can't find the command, but I know the flow I need: Find all apps -> Search members for X -> Remove X apps 1-99...

I've been looking for about an hour, so I feel like I'm not close on the verbiage or if this is possible.

I have not used graphAPI, so that might be needed.

I am joining a new company soon. During the intro from IT Head, I heard they have no formal HR system in place because its a very old Accounting company and "things" have been working for them for past 40 years and management do not want to spend dollars. About 250 users and 50 + seasonal staff that comes and goes every year.

However, they are on the M365 Business premium plan which include the entire office suite + Intune etc.

I currently have basic knowledge on Office 365 and some of the common apps used such as outlook, word, Sway, excel etc etc.

Are there any apps in Office 365 I can learn and leverage that will give me grounds to build or work towards the following tasks:

1. Employee / Temp staff Onboarding and Offboarding IT processes - Including checklist, laptops, desktops, phones. Making streamlined processes etc so this onboarding and offboarding of task can be handled effectively.
2. HR system, even basic functionalities that can possibly be build if I can leverage few Software developers to help me out.

Thanks in advance for any suggestions!

I'm working in a people analytics function for a mid-sized organization in London, UK. Over the last couple of years, we've had occasional discussions about redesigning our offboarding process. Internally we've discussed this quite often, liked the idea, but failed to make it a priority.

Last week I stumbled on this article from the Harvard Business Review and I realized that a lot of this holds true for our organization as well. In some areas, we could improve (knowing why people leave) in other domains things are already good but could be even better (6% of new hires are already boomerang hires).

I'm currently preparing a proposal for our VP people about redesigning our offboarding process. I found some strategies here, but would really love to hear about your experiences with offboarding. Do you see offboarding as just as important as onboarding?

London, UK

So this should be a throwaway... anyway i was asked by my boss if there was any way to tell if an employee copied all work data onto a seperate drive before returning his laptop to us. the layoff wasn't amicable, and he was working on some sensitive stuff b4 hand apperently, so i was told to see if there was any way we could tell if user copied data onto usb drive before giving computer back.

any help would be appreciated, thank you.

Hey ho,

TL;DR: I'm looking for a tech (python backend) or sales automation/growth cofounder located in western Europe.

Not long ago, I started an HR tech project to help companies implement processes for employee offboarding. The goal is to help companies develop new data-driven capabilities, as well as to simplify and professionalize processes.

I've already built the first version and there's some early interest. On top of that, I found a network of investors who would be willing to support the project. The network is comprised of successful tech entrepreneurs as well as execs from companies such as Google.

Currently, I'm doing everything by myself and I was able to achieve a good amount of progress. But truth be told: I'm getting to the point where everything has become overwhelming and I'm just not able to get the results and outcomes that I want. Sales processes, demos, fundraising, IT compliance, backend- & frontend architectures, HR processes, and content ... it's a lot!

That's where you come in. I'd love to talk to potential cofounders that have a tech background (Django) or a background in sales automation/growth. I would love for you to have some amount of experience in the B2B space as well as the involved processes (especially IT compliance/audits/tenant separation). I'm located in Germany (Berlin) and have made some bad experiences with working in different time zones. But it would be very, very great if you're at least located in one of the target markets (USA, Canada, UK, Ireland, Germany).

I'm looking forward to talking to you!

Hi All

When we offboard terminated employee accounts in 365 we do the usual reset pw, block sign in, convert to shared, remove licensing, etc. which has been the norm, but today I got the question about stopping email delivery to this shared mailbox after a grace period. Usually I'd just leave the shared mailbox...because why not? It's free and a much better archive solution than PST...just set a limit and leave an OOO

But I started looking in to this a little further at the clients request, seems like the best solution would be to change their email (SMTP) address. There are also the options of deleting the mailbox and recovering it to a different account, or mail delivery restrictions but I wanted to see how the rest of you guys handle this. I am open to all advice and suggestions!

I'm new to my company and still learning my way around CUCM. The vendor that integrated the product left very little documentation. They basically cover adding users in, but I'm not sure what the best procedure is for offboarding users. Specifically in the case when they have softphones (Windows and iOS jabber clients).

We're Active-directory integrated. We'd likely need to keep extensions around to forward calls. Would I just delete the soft-phones from Devices? Or would it be better to delete the user object?

Good morning

I am trying to get my tiny skull around the "right" way to handle employee offboarding. I would like to be able to free up the Office 365 license so that I can reassign it, and also have the mailbox go Inactive so that it stops getting backed up by Veeam. The business would like the emails for the offboarded employee to be forwarded to another recipient (generally the employee's manager) for a month, but this can sometimes be extended.

AAD Sync and group based licensing solves the license assignment issue for me. When I remove the AD object, and allow AADSync to do its thing, the license frees up for me to use. Turns out this was the easy part, and I'm struggling with how to deal with forwarding.

I have tried setting forwarding options on an Inactive mailbox, but once a mailbox goes inactive, this is no longer possible. It also seems that inactive mailboxes don't receive mail, even if forwarding was set or not before going inactive, and generate an NDR to the sender.

I experimented with adding a proxyAddress to the manager's mailbox for the offboarded employee. So, if FooBar@example.com leaves, I would delete FooBar's AD object, add FooBar@example.com to FooBarMgr@example.com's list of proxyAddresses. This didn't work as I'd hoped - ADSync complained that the proxyAddress couldn't be added to FooBarMgr's object, since it needs to be unique. O365 is seemingly considering the mail/proxyAddress of FooBar after the object's been deleted (I wonder if this is a problem until the object gets deleted permanently from the recycle bin?).

I think the MS documentation suggests that I convert the mailbox to a shared mailbox, then attach the mailbox to another user's account. Instead, could I convert the mailbox to a shared object, remove the license assignment, set forwarding (I don't know if this is possible on a shared box), then after the period of forwarding has elapsed, delete the AD object? What state does that leave the O365 mailbox in?

How is offboarding handled in your organization? How do you handle mailboxes?

Any direction, insight, suggestions are appreciated...

Thanks!

I work for a smallish sized company and we are trying to determine what to do with terminated employee accounts. Here's what we are looking to do after an employee leaves:

• Provide the users manager access to their mailbox for 30, 60, or 90 days

• Set an out of office reply for 30, 60, or 90 days, directing emails to contact the users replacement

• Provide access to the users OneDrive to the manager for 30, 60, or 90 days.

• After the 30, 60, or 90 day period is up we intend to sever the link to email and OneDrive for the manager and retain the email and OneDrive data for one year after termination.

So far we're thinking of just applying an E1 license to terminated accounts for a year. It seemed to be the easiest solution but would in-place holds/litigation holds be a better option or is there a better way altogether?

What is everyone else doing for terminated employees?

Hey guys, so im an IT admin here at my company. I come posing a question. Currently it seems IT is not only the IT dept but the HR and facilities dept as well. With such a small team it seems near impossible to keep track of the administrative work to keep track of a detailed employee list with their info on top of the day to day.

How do you guys handle your employee onboarding/offboarding process for IT? We have a ticketing system and use that to track the tickets, but then we also use a spreadsheet to track all term employees, as well as all technology they have software/hardware. It just seems like a whole redundant process and I feel like there has to be a better way to perform an IT term/onboarding. How do you guys manage these situations?

We recently discovered we need a better way to onboard and offboard our clients employees rather than just being put in through a ticket. We've created a form with our standard checklist of how they would like us to proceed, but we aren't sure how to distribute it. Ideally our main POC of each company would fill it out and send it to us, be realistically we know they'll forget and end up putting in a ticket. Any ideas on how we can distribute our form so we can get complete and timely information for onboarding/offboarding?

A group chat with some fellows in the field had us wondering..

How manual (or automatic) of a process do you have once you receive a user termination request?

For small orgs, it's probably a simple AD user account disable and making sure they don't steal their desktop, but for larger orgs when the user has apps without SSO, home equipment, multiple departments have to cut them off from certain things, etc,

How do you do it?

Just heard a story of a user that had their phone wiped on their last day at their employer. It was their personal phone but since it had the employers email on it they did a remote wipe on the phone. The user had a Tesla and used their phone as their car key. The users didn't know their Apple password, and of course didn't have any phone numbers memorized of family and friends. So it caused a lot of issues.

This script can be used as part of the offboarding process for an employee. It will do the following:
Latest version 1.1.2

1. Block O365 Sign-In.
2. Disconnect Existing sessions in case employee is signed in at another location.
3. Forward emails or Convert to Shared Mailbox and assign to Manager
4. Set Internal and External Out-Of-Office
5. Cancel all meetings organized by employee
6. Remove from all distribution groups
7. Re-assign O365 Group Ownerships.
8. Remove from all O365 Groups
9. Make Manager admin for OneDrive for Business account
10. Send an email to the Manager when all is completed, with results.

http://www.thecodeasylum.com/office-365-offboarding-users-with-powershell/

The Office 365 Employee Off-Boarding Application is available now on my site, there is an x64 and x86 version so pick your flavor : http://www.thecodeasylum.com/downloads/

Hi All,

This is going to be the first of many HELP ME questions as an IT Manager.

Background story:

The company I work for outsourced the IT department to a third party company and have local IT resources that handle requests by tickets. The local IT resources are not motoviated to follow procedures and really don't care for asset management. I was brought on to oversee the internal side of IT processes and procedures.

There is no asset management in place and we have done an inventory scan physically to compare to our records. We have over 100 computers unaccounted for in a single year They could be stolen/missing/left somewhere in the office.

What do you IT managers do about tracking your equipment when onboarding and offboarding? And do you have any software recommendations as part of your process?

Thanks in advance!

I'm looking for a way to make offboarded employee emails accessible and searchable, by appropriate users within our organization.

Here's where we're at:

• An employee leaves the organization.
• We close down their account, forward any future messages to the appropriate recipient, and download a .MBOX backup of their messages.
• Later on, we realize we need to reference a message in that .MBOX archive.
• ????

What's the easiest way to make an .MBOX archive easily accessible and searchable by designated users within an organization? I know Google Vault can handle some of this functionality, but apart from this specific need, we're quite happy with the Basic Edition of G Suite, and I'd like to avoid doubling our subscription costs just to be able to easily search messages from former employees.

Am I stuck advising users to install something like Thunderbird to import that .MBOX archive, or is there a better, ideally online way to handle this?

I have an employee that does not want to let go of his domain email address even though they no longer work at the school. What should I do, This is starting to sound like an administration issue that I should take up with them any advice.

As we are growing we are starting to run into issues with not having a system in place to find out when an employee leaves or when a computer is retired without our knowledge. Do you have a specific process for this, is it the same process for every client, and what do you ask the client do to in order to inform you of it?

My company just transitioned to a new HRIS system (SuccessFactors) from a very outdated SAP system circa 2006. In this new implementation, a few HR leaders decided that the 45 of us who make up all of HR for the company had too much access to HR records. With this new implementation, they decided that every person in HR would be assigned specific access based on what they do for the company. So for example, in my Talent Management team of 13, each of our HR Business Partners and Labor Relations specialists only have access to the HR records of the departments they support. And to top it off, only one HRBP has access to the records of our fellow HR colleagues. We can't even see each other's mailing addresses or other information that they deem "not a business need". When confronted on why they've structured it this way we have been told that this is "standard practice" and that everyone in HR "probably had too much access" when we were using SAP. The consequences of this are huge. No one can back up anyone else because we don't have the same access and now things get bottlenecked because we have to go to other people to ask for information because we can't look it up ourselves. The vast majority of us feel this is all a trust issue, but leadership claims it's not about trust but cannot be transparent on why they're doing this. I just want to know - is this really a thing? I've never worked for a company where people on the same HR team didn't have the same access, but they're claiming this is "industry standard". Is it?

Bungie's Head of HR Has Stepped Down.

Obviously we don't need to even discuss this, but HR is Human resources, a set of people who make up the workforce of an organization, business sector, industry, or economy. The human-resources department (HR department) of an organization performs human resource management, overseeing various aspects of employment, such as compliance with labor law and employment standards, interviewing, administration of employee benefits, organizing of employee files with the required documents for future reference, and some aspects of recruitment (also known as talent acquisition) and employee offboarding. They serve as the link between an organization's management and its employees. As well all know the term human resources was first coined in the 1960s when the value of labor relations began to garner attention and when notions such as motivation, organizational behavior, and selection assessments began to take shape in all types of work settings.

Obviously this story is very big and Bungo is fucked with this massive change. My dad also said business have a board of directors, which is undoubtedly playing into this. Because I understand the situation so completely and totally, I can tell you with 100% confidence that Bungie's Former HR was a deepstate Fascist who shuttled abusers throughout the world via private airplane. But I guess that's good ol' bungo or ya lmao.

The morale outrage here is so great that I will be cancelling my Witch Queen pre orders immediately, thank you.

I went into Sharepoint admin center to find the Onedrive retention policy (it's set to 30 days). This is applied if this account is deleted. But, it's not clear how long the Onedrive data is kept if you're just removing licenses.

I did some digging online for this and found this in the microsoft docs:

"If you only remove a user's license but don't delete the account, the content in the user's OneDrive will remain accessible to you even after 30 days.

Before you delete the account, you should give access of their OneDrive and Outlook to another user. After you delete an employee's account, the content in their OneDrive and Outlook is retained for 30 days."

It doesn't really describe how long it's kept if you're just removing the licenses. Can someone please help me understand how this works?

During our offboarding process, we simply remove all licenses instead of deleting the user's account. So, I'm trying to understand how Onedrive data is being retained after the license is removed. Thank you.

Hello, my friends! How are you doing?

First of all, I wish a Happy New Year to all of us! :)

Now, about my question, let me give you a little background of what is happening in my life right now, and what I'm looking for:

I'm currently in an interview process to work in a European company as a Senior Google Workspace IT Admin. I worked for the past 5 years with the Google Workspace solution (back when it was changing its name from "Google Apps for Work" to "G Suite", until later 2020 they renamed it to "Google Workspace"), but I worked primarily with Google Workspace Tech Support, Deployments and Migrations in a consulting firm. I migrated many many users (there was a time where I migrated 25000+ users to Google Workspace for a company, my biggest project ever! lol), but I never had the "primary experience" of working as a GWS IT Admin directly, and I'm really excited with that interview!

So I thought about some topics where I should focus on the interview, thinking about an IT Admin perspective, such as:

- Equipment inventory through the "MDM" options of the Google Workspace Admin Console

- Periodic Security Assessment (evaluating things such as if critical users are with 2SV enabled, if access to GCP or other additional google services is enabled to all users or only to those who need these accesses, what are the current Google Workspace Admin Roles and who are the users with Admin privileges, etc.)

- Onboarding / Offboarding process through GAM scripts or Google App Scripts, or user creating using an SSO tool like OKTA or syncing a company Active Directory through GCDS

- Being a Tech Lead by developing a technical schedule with the actions required to migrate data during a Merge & Acquisition process

- How is the migration process done when a Merge/Acquisition happens for the company (things like migrating all user data using tools like GWMMO, GWMME or through 3rd-party tools like CloudM Migrate)

- Development of a Services Catalog with everything our team and our Service Desk supports with Google Workspace, with procedures into how to do assist better the whole operation

- Google Vault auditing process and retention policy for e-discovery/legal requirements

- If email backup is being performed (through tools like GYB, or other 3rd-party tools)

- If in case there are subsidiaries involved, the GWS administration is solely done by the HQ Google Workspace IT Admins, or if custom administrator roles are delegated to the IT Admins

My business has let go some employees remotely during the pandemic. In most instances the employees have been at home, and were notified remotely. Today I will need to work on an employee termination, but the employee will be in the office and his manager will be home. As an hrbp, Im a little annoyed none of the employees leaders will be there in person. I offered to go to the office, but why should I if they won’t even make the effort? The employee had been struggling and I’m not even sure how he will process this news. And being in the office around other employees with no one from his team to talk to him face to face seems off. Anyone handle a termination in this manner or have any suggestions?

I am currently the HR Director at a super fast paced start up. 600 employees in 30 states with an HR team of 7 (including payroll and recruiting). Turnover is 80% therefore we are onboarding/offboarding 60 employees per month. I have been with the company for 2 years and am burned out. 65+ hours per week, always going.

I have worked SUPER hard my whole career (I am 54) with the intent of stepping back in my 50's and "gliding" into retirement.

Good news-I have been offered an HR Director position with a super small (150 employees/4 locations/15% turnover) company that shares my values. They offered me 3k more than my current salary (which is double their advertised salary).

My current company has offered me $20k more to stay and shared that they are selling the company in one year. I could possibly make $100k if sold due to stock options.

I know that I need to place my mental/physical health over any amount of money but another part of me is thinking that I am crazy to pass up the offer from my current company (but why the hell did they not pay me $20k more when I asked for a raise last month and was told that they have no money)?

#UPDATE: ISSUE AS BEEN RESOLVED

For those interested, this comment by /u/Lazy-Plate pointed me in the right direction.

After running a test, I found that ConvertTo-HTML doesn't output a [System.String], but rather outputs a [System.Object[]]. The -Body parameter of Send-MailMessage requires a string be input. So, turns out that my Try{}Catch{} was working after all, but it was the Send-MailMessage causing the issue.

I fixed this by amending by $SendMailSplat declaration as follows:

    $SendMailSplat = @{
        From        = 'EmployeeOffboarding@<Company>.com'
        To          = 'Cabbage.Corp@<Company>.com'
        Subject     = '[ERROR] Employee Offboarding - Create'
        SmtpServer  = 'smtp.<Company Domain>'
        Body        = [String]($PSItem.Exception | Select-Object Status,Message | ConvertTo-HTML)
        BodyAsHTML  = $True
    }

Notice the [String] in the Body value.

Thanks for all your help!!

And if anyone is curious about splatting, see about_splatting by clicking the link or running Get-Help about_Splatting in PowerShell/PwSh

Good morning all!

Having a bit of a head scratcher this morning. Yesterday I had an automated process start failing randomly, but I didn't have any error catching in my script, so it went unnoticed for a couple hours. It's nothing mission critical, but I would like to remedy this and start getting alerts if it fails again.

I've done this with other scripts using Try{}Catch{} and never had an issue, but it seems with this script I am not getting alerted when it fails.

Here is the relevant snippet from the script:

^(***#region Snippet***)

$GetTaskSplat = @{
    Headers     = $AuthHeader
    Method      = 'GET'
    Uri         = "https://<Company ServiceNow Production API URL>"
    Credential  = $ServiceNowCred
    ErrorAction = 'Stop'
}
Try {
    $GetTaskResponse = Invoke-RestMethod @GetTaskSplat
} Catch {
    $SendMailSplat = @{
        From        = 'EmployeeOffboarding@<Company>.com'
        To          = 'Cabbage.Corp@<Company>.com'
        Subject     = '[ERROR] Employee 

I work for a smallish sized company and we are trying to determine what to do with terminated employee accounts. Here's what we are looking to do after an employee leaves:

• Provide the users manager access to their mailbox for 30, 60, or 90 days

• Set an out of office reply for 30, 60, or 90 days, directing emails to contact the users replacement

• Provide access to the users OneDrive to the manager for 30, 60, or 90 days.

• After the 30, 60, or 90 day period is up we intend to sever the link to email and OneDrive for the manager and retain the email and OneDrive data for one year after termination.

So far we're thinking of just applying an E1 license to terminated accounts for a year. It seemed to be the easiest solution but would in-place holds/litigation holds be a better option or is there a better way altogether?

What is everyone else doing for terminated employees?