Skip to content

v1.7.0

Choose a tag to compare

@yusha yusha released this 24 Jun 23:40

Conditional Access is now handled up front

Previously, Step 10 (the Conditional Access sign-in block) could fail at the very END of an offboarding — after the mailbox was already converted to shared and the license removed — if the admin-restricted Policy.ReadWrite.ConditionalAccess permission wasn't consented. That's the worst place for a failure.

Now the CA group + report-only policy are set up as a pre-step, before anything destructive runs. If it can't be set up, you choose while nothing has changed yet:

  • [R] Retry the consent prompt (tick "consent on behalf of your organization")
  • [M] Manual — create the policy in Entra yourself (steps shown), then re-check
  • [C] Continue offboarding without the CA policy (the user still joins the group)
  • [A] Abort — stop now and run no offboarding steps

Unattended / automated runs continue without the policy on failure (logged), so they never hang. Step 10 then simply adds the user to the group.

Hardening

  • A missing Group.ReadWrite.All (or a transient error) in the pre-step no longer aborts the whole lockout — the CA block is optional, report-only defense in depth.
  • The pre-step's group is reused by Step 10, so there's no risk of creating a duplicate same-named group that the policy doesn't target.
  • An abort exits cleanly with an audit record instead of a red stack trace.
  • The pre-step honors -WhatIf, and Step 6 no longer removes the user from the offboarded-users group on a re-run.

Full Changelog: v1.6.1...v1.7.0