[REWST - TASK] Remove Group Memberships
This workflow automatically removes users from both Microsoft 365 and on-premises Active Directory groups, functioning as a critical building block in comprehensive user management automations like offboarding, permission adjustments, or security remediation processes. MSPs will find this particularly valuable during client offboarding processes, security incident responses requiring immediate access revocation, compliance audits, and multi-tenant management scenarios where maintaining accurate group memberships across different environments is challenging. Technically, the workflow retrieves the user's current group memberships via Microsoft Graph API, evaluates whether to process cloud-based groups (Microsoft 365) or on-premises Active Directory groups (or both), and then executes the removals using appropriate methods for each environment—API calls for cloud groups and PowerShell commands via RMM for on-premises groups.
This workflow contains 12 tasks.
Inputs
idp_config - string
Accepted values are: on_prem, hybrid_no_sync, azure_ad, on_prem_only. If no value is provided value will be determined via org var logic.
Default:
{{ CTX.idp_config|d }}
on_prem_dc - string
The hostname of the On-Prem Domain Controller.
Default:
{{ ORG.VARIABLES.primary_domain_controller|d }}
aad_user_id - string
The GUID of the Azure/Entra User.
default_rmm - string
Default RMM
on_prem_user_id - string
The User ID of the On-Prem user.
Outputs
automation_log: Standardized Rewst automation log
success: Boolean; States if workflow was successful.
removed_groups: List of groups that were removed.
dynamic_groups: List of dynamic groups that the user could not be removed from.
Key tasks
failure_catch: Core integration: noop
get_user_groups: Data retrieval
check_azure: Validation/verification
check_onprem: Validation/verification
check_for_groups: Validation/verification
Jinja examples
Example 1
Used in input parameter 'endpoint'
Example 2
Unknown context
Last updated
Was this helpful?