Answered

Pause sync with Azure active directory (AAD)

  • 2 February 2023
  • 5 replies
  • 240 views
P
Rank

When an employee leaves they hand back their laptop/phone etc. We need to login as the user to make sure all their documents are sync'd to M365 before we wipe the device. In order to do that we reset their password, and login to their laptop as them.

However, as the (ex)employee is tagged in personio as inactive / has a leaving date the AAD integration keeps disabling the account every time is syncs. (Not sure how often - every hour?)

Does anyone know a way around this?  ie. breaking/suspending the sync to AAD for a user or setting the AAD sync so it only happens once per day?

Or some other work around.

icon

Best answer by ChristophS 6 February 2023, 19:00

View original

5 replies

Andrea
Userlevel 6
Badge +16

Dear @PresumptiveTrotter,

First, I wanted to give you a warm welcome to the Personio Community 🎉.

We are looking into the details of your inquiry and will share an answer with you soon. 

Thank you very much for your patience! 

Best,

Andrea

Please beware that moderators may modify the title of your posts to make them easier to find for other users
ChristophS
Rank
Badge +1

HI @PresumptiveTrotter

there is currently no intended way to stop the sync between Personio and Azure AD. 

However, what you could do is deleting the Personio ID from the respective Azure AD profile and changing the email address of the employee’s entry in Personio to a dummy-address. This would lead to Personio creating an entry in Azure AD with this dummy-address, which you could delete once you finished the offboarding. 

The Personio ID can be found in the URL of the employee, when opening the profile in Personio. Here’s a screenshot created within my Personio testaccount with dummy-data: 

I hope this solves your issue!

Best, 

Christoph

If you find a comment helpful, feel free to mark it as "Best Answer" so that the member gets points for the leaderboard. If you have any questions, feel free to contact me with @ChristophS. :)
P
Rank

Thanks @ChristophS 

I already tried to just remove the employee ID but upon the next sync, Personio spotted the deletion & inserted the number again!

Rather than create multiple dummy accounts in AAD, I was wondering if I removed the employee ID from AAD AND changed the default user email address in AAD from <user>@domain.com to <user>@<tenant>.onmicrosoft.com - would that be enough for Personio to stop recognising the account & trying to sync with it?

ChristophS
Rank
Badge +1

Hey @PresumptiveTrotter

this looks like a good idea to me and something that could work. However, since it's an edge case that we haven't had in this form yet, I'm afraid I can't tell you if it will actually work.

If you test it out, I would be very happy if you give me feedback once whether it worked or not, that would be interesting for me to know!

Best, 

Christoph

If you find a comment helpful, feel free to mark it as "Best Answer" so that the member gets points for the leaderboard. If you have any questions, feel free to contact me with @ChristophS. :)
P
Rank

It did not work @ChristophS 

With hindsight I suppose it was obvious really.  The Join between Personio & AAD is defined in the integration as the username (nb. NOT email address) = firstname.lastname@domain.com so it makes no difference what you change the email address to in M365, the integration still sees the account username & syncs the changes.

Your reply


Terms & Conditions of the Personio Voyager Community