Recently, I’ve been playing around with SharePoint Online User Profiles and seeing what the default behaviour is when a User leaves the organisation and have found some interesting behaviours that are certainly noteworthy. It always worries me when I think something has been deleted and it hasn’t so I thought I’d share, and you can decide if you care.
User Profile Sync Process
To understand the problem here, it’s good to first have an understanding of the various sync processes that sync a User from On-Prem AD to the SharePoint Site Collections. There used to be a really good Microsoft Docs article about this, but for some reason they’ve deleted it, so I’ve drawn you a nice diagram, because I’m good like that.
In the below diagram, you can see that there are a series of synchronisation steps that a user goes through to sync their data from the On-Prem AD object to the Site Collections that they have access to.
This process is well-established, I’m not going to pretend it isn’t. When you add a new user to your On-Prem AD, that user is available to add to a Site Collection usually within an hour which is rather impressive. The problem I see, however, is when a user leaves your organisation.
Removing a User from SharePoint Online
When a user leaves your organisation, your standard JML process will kick in. Usually the same routine of disable the AD object, add a no-sync attribute to stop AADC sync and, as far as Office 365 is concerned, the rest is handled automatically. The user object is removed from AAD, any assigned licenses are reclaimed and of course the user is removed from SharePoint Online.
However, although the user is certainly removed from the User Profile service that is as far as the removal sync goes. It does not reach the Site Collections as I will demonstrate for you below.
In my demo tenant, I am going to remove Miriam Graham to illustrate the flow of events and the potential problem. Here you can see her in AAD:
And here she is in the SharePoint User Profile Service:
As I am going to be demonstrating this in my demo tenant, I don’t have an On-Prem AD setup with AADC, however, the behaviour is exactly the same. For the purposes of this demo, I will simply delete the user from Azure Active Directory.
Miriam has been deleted from AAD, so after a few short moments she should be removed from SharePoint Online too. Approximately 15 minutes later, the User has been removed from the SharePoint User Profile Service, as you can see here:
That should be it right? In this docs article it says “After you delete a user, a series of jobs will remove the user from SharePoint. After the next incremental profile import job, the user (or users) will be marked as deleted, the user’s profile page will be deleted, and the user’s OneDrive will be marked for deletion by the MySite cleanup job.”.
Gone! But not really…
I have deleted the User from AAD and this has been synchronised to SharePoint Online. However, the user profile still exists in ALL the SharePoint Site Collections they had access to.
If I navigate to a Site Collection that Miriam had access to, it doesn’t take long to notice that all of the users profile data is still very much present. If you hover over a document they have edited or navigate to the Site Permissions page, you can clearly see the entirely of the Users profile, for example:
If you click “See More” on the pop-up box, you will see the whole user profile:
As you can see, nothing has been removed and this will stay here until the user is manually removed from the Site Collection by either the Site Collection Owners or by a SharePoint Admin. Or until the Site Collection is deleted, of course!
Solution
If you feel that this is a problem, there is some good news – there is an easy fix. Adding one line of PowerShell into your JML process will traul your Site Collections and delete the user.
Get-SPOSite | ForEach-Object { Write-Host $_.Url ; Remove-SPOUser -Site $_.Url -LoginName miriamg@tenant.onmicrosoft.com }
After running this command, this is all that remained of that user in the Site Collection:
I am still working on removing the Picture. Permanently removing the user’s mailbox where the picture is stored did not seem to work and 7 days later it’s still there. I will post an update when I figure it out.