Is it possible to refresh a user's Azure AD group and administrative role memberships through the Graph API to avoid the delay before these changes take effect? Azure PIM does this when a user activates access.
The beta version of the Graph API has a method to invalidate a user's refresh tokens which looks like it does this, but the user has to log in again on all devices. I'd like to avoid that.
The Microsoft documentation for the Disable-RemoteMailbox powershell cmdlet states:
Note: If you are deprovisioning a cloud mailbox and its associated online archive, you must first disable the online archive with the command
Disable-RemoteMailbox -Archiveand then perform a directory synchronization prior to disabling the remote mailbox. Attempting to disable both the online archive and cloud mailbox without a sync between them may result in anArchiveGuidmismatch and validation error.
So 3 steps are required to deprovision a mailbox correctly:
Disable-RemoteMailbox "David Strome" -ArchiveDisable-RemoteMailbox "David Strome"Is step #2 necessary if you also disable the on-premise AD user and you exclude disabled users from the directory synchronization, effectively deleting the AAD user and eventually the user and archive mailboxes?
If the person comes back for a new work period, the on-premise AD user is enabled. That may happen within the 30 days retention period for the mailboxes.