BCEL1014b: What Is My Offboarding Trigger for Microsoft 365?


Why Select 365?

For organizations where Office 365 is the source of truth, or an on-prem AD is pushing changes to Microsoft 365, offboarding should start with the Microsoft 365 integration. Organizations can trigger offboarding from 365 through one of two WHEN/IF statements. These are

  1. WHEN a User is Disabled
  2. WHEN a User is Added to a Group + IF Group is… 

Depending on how the organization usually begins its offboarding process, these are the actions they should evaluate when deciding upon an offboarding Workflow trigger.

OPTION: User is Disabled (BetterClouders Most Common Method)

If an organization is disabling the user directly in 365’s admin console, or they are disabling the user in on-prem AD with a push up to 365, it is best to select User is Disabled. If using on-prem AD, keep in mind how AD interacts with Microsoft 365 as BetterCloud will be able to pick up the trigger once the action syncs from AD to 365.




 Quick action, taken from the directory


 Slight delay before full access is cut

 Can still receive email, set forwarding, etc



 Syncs from On-Prem AD (if set up)


User is Added to a Group + Group is [Offboarding Group]

Organizations may also set up a Group specifically for offboarding, which could then kick off an onboarding Workflow in BetterCloud. In this scenario, the WHEN event would be User is Added to a Group, with the IF condition being defined as the Offboarding Group. If the organization doesn't have an offboarding Group, and would like to create one, they should do so before selecting this trigger. While disabling a user immediately locks the user out, moving them to a Group will keep an organized list of users all in one place that are going through, or have gone through, the offboarding process. 

Important: BetterCloud does not cascade down 365 Nested Groups to trigger Alerts/Workflows.




 Keeps users organized


 Must create a Group if one doesn't exist

 Can open offboarding to non-IT users


 Prevents email delegation

Why Wouldn’t You Select 365?

BetterCloud’s uses a user’s email address to merge accounts and offboard a user via the accounts seen in their User 360 view. If you were to go to a user's profile in BetterCloud (Directory > Users), what applications do you see listed? This profile is known as a "merged" profile, and all integrations listed here will be part of the offboarding process. If an organization has not yet set up their primary domain in 365, and instead are using an onmicrosoft email address, this can cause issues during offboarding. BetterCloud will look for the onmicrosoft address in Okta, Google, Slack, and other applications, however, these services aren’t using the onmicrosoft email extension. As a result, applications outside of Microsoft will not properly identify and offboard the user. We recommend organizations using an onmicrosoft extension for 365 update their 365 domain to reflect their primary domain. Instructions on how to change an onmicrosoft extension can be found here.

Additionally, if an organization’s source of truth is not 365, or they have an HRIS that is pushing to another application, that would be the best place for you to start the offboarding process. It is best to review all available triggers for each application before making a decision.

Are You Using an HRIS or IdP?

If an organization is using an HRIS or an IdP that is NOT a BetterCloud integration, it is critical to determine if the HRIS or IdP are pushing changes directly to 365. If pushes are occuring, this is a great way to start offboarding, and the offboarding trigger will likely be WHEN a User is Disabled. It is best to identify how the HRIS or IdP are pushing users to 365, if at all.

If an HRIS or an IdP are BetterCloud integrations, and being used by the organization, one of these should be the proper starting point.

Are There Other Options?

In the event that an organization changes a user's password or deletes a user from their organization, they will need to decide what available trigger works best for them. Simply resetting a password or deleting a user are not recommended best practices, or available triggers within BetterCloud. 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request