View All Resources

PennO365: Preparing for User Separation from Penn

Overview

When a person leaves the University, their former organization at Penn often needs to either have access to the user’s existing mailbox and/or continue to receive new messages that are sent to the user’s account. This article summarizes the specific tasks IT support staff must perform prior to account deprovisioning to ensure the account is configured to meet the business needs of the department at user separation and/or maintain an account’s functionality following user separation.

Please note that the process for preparing for a user’s separation from the University is different from process to transfer a user’s account from one organization to another at Penn.  Organizational account transfers are performed by ISC at the request of school/center IT support staff. 

Considerations for PennO365 User Separation

When a PennO365 user separates from the University, IT support staff should review the considerations below with the user’s department and perform the relevant actions as needed.  Note that most of these actions can be performed by the end user if they are available prior to leaving the University.  If the user is not available, IT support staff can perform the actions after granting themselves Full and SendAs access to the user’s mailbox in ARS.1

IMPORTANT: Considerations A, B, C, D, and E are only available until the separated user’s account is deprovisioned.  Once an account is deprovisioned, all functionality stops immediately and all data is deleted and becomes unrecoverable 30 days later.  To keep an account active and prevent the automatic deprovisioning process, IT support staff must add an eligible guest-type affiliation to the user’s record in PennCommunity and an override.

 

CONSIDERATION

ACTION TO TAKE

A

Does the department need the mail that already exists in the account?

If yes, IT support staff should export the contents of the account to a .pst file.2

B

Does the department need future mail to be accessible?

If yes, IT support staff should set a forwarding address on the account to forward new mail to an active account.3  ISC also recommends configuring the account so that a copy of the mail is not retained in the separated user’s mailbox.

C

Does the department want to have a message automatically sent to anyone sending email to the user’s account?

If yes, IT support staff should configure the automatic replies on the user’s account to send the department’s desired message.4

D

Does the department want to prevent the user from accessing their account following separation?

Log into Grouper and add the user to Root > penn > isc > ait > apps > O365 > O365AccountBlock > School/Center.  It will take up to 1 hour 15 minutes to be fully locked out.  If an immediate lockout is needed, follow the process for a Contentious Separation outlined below.

The account itself will follow the normal deprovisioning timeline.

E

Does the department want the account to continue to function as normal for the user?

If yes, IT support staff need to give the separating user an eligible guest-type affiliation in PennCommunity5 and then apply the appropriate type of override.6  This will keep the account from being flagged for deprovisioning and allow the user to continue to access it.

F

Does the department need to have the email forward after the mailbox is deprovisioned?

If yes, IT support staff should submit a request to have the account’s mail routing converted to a Forward-Only address.7

Contentious Separation

In the event of a contentious separation, IT support staff should work with the organization’s Human Resources or business office to deactivate any active affiliations in payroll and consult with the Office of Information Security on policies that favor your department.

If the user’s access to their account needs to be immediately disabled or disabled at a specific time due to the particular circumstances of the contentious separation:

  1. School/center IT staff adds the user to the applicable School/Center-specific Grouper group for lockout (O365AccountBlock<School/Center) when the lockout is needed.  
    • Note: Once an account is configured to disallow logins, only ISC administrators and users that have been granted full mailbox access to the account will be able to access it. 
  2. School/center IT staff calls ISC Client Care at 215-898-1000 with documented approval by one of the following to request that all active sessions be forced to expire (IE force logoffs) when the lockout is needed.
    • The school/center's HR director or equivalent central HR director
    • Member of the Office of Information Security staff
    • Office of General Counsel
    • Office of Audit Compliance and Privacy
       
  3. ISC administrators force the close of all active sessions either immediately or at a scheduled time.  
     
  4. School/center IT staff determine the business needs based on the following considerations:
    1. Does the department need the mail that already exists in the account?
    2. Does the department need future mail to be accessible?
    3. Does the department want to have an automatic message that is sent to anyone sending mail to the user’s account?
    4. Does the department need to have an email forward after the mailbox is deprovisioned?
       
  5. If any of the above considerations need to be implemented, school/center IT staff need to grant themselves Full and SendAs access to the user’s mailbox in ARS and perform the appropriate action(s):
    1. If the department needs a copy of existing data in the account, school/center IT staff should configure Outlook to access the account and create a .PST of the account data
    2. If the department needs future mail to be accessible, school/center IT staff should access the account via Outlook on the Web and set a forward to the appropriate active account.
    3. If an automatic reply needs to be set, school/center IT staff should access the account via Outlook on the Web and set the desired message.
    4. If account should not be deprovisioned, IT staff should apply a Courtesy affiliation to the user’s record in PennCommunity and apply an appropriate override using O365 Tools.
       
  6. If and when the account can be deprovisioned, the school/center IT support staff can flag the account for automatic deprovisioning by inactivating the Courtesy affiliation.  To manually deprovision the account, inactivate the Courtesy affiliation and then remove the assigned PennO365 Mailbox licsence in ARS.

References

  1. How to mailbox disable a PennO365 account
  2. Create an Outlook Data File (.pst) to save your information
  3. Forward email from Office 365 to another email account
  4. Configuring Automatic replies
  5. PennO365 eligible affiliations
  6. Overrides in ARS
  7. ISC Forward-Only Service