PetriAsi
commented
3 weeks ago This can be done also without specifying retention time at all, if user suspend/deletion task would use deleted user objects that still exist in soft deleted state in Entra ID directory. First step would be suspend user in moodle that is (soft) deleted from Entra ID and when deletdUsers does not return user (objectid( anymore , than delete user from moodle.
The O365 user sync which is configured on /admin/settings.php?section=local_o365&s_local_o365_tabs=1 has a hardcoded amount of 30 days between suspending a user and deleting a user who was disappeared in the AD.
This is documented here: https://github.com/microsoft/moodle-local_o365/blob/master/classes/feature/usersync/main.php#L1677-L1694
However, for institutions who have longer data retention policies (when it comes to proving, even long time after a particular employee left the institution, that this particular employee has taken a certain safety briefing), these 30 days are not really feasible and the data retention requirement might even be counted in years and not only in days.
But if such institutions want to have a longer time between auto-suspending a user in Moodle and deleting the user finally from Moodle, they have to disable the auto-deletion option in the O365 user sync and manually delete the affected users during some kind of end-of-year cleanup phase which comes with some effort at scale.
I would like to propose to make the time between the user suspension and the user deletion configurable in the O365 user sync settings and let the admin decide how many days / weeks / months / years to wait before a user is finally deleted.