Make user inactive automatically, except few

Go to solution
CR
Kilo Contributor

‎03-14-2022 08:10 AM

We have integrated Azure AD with ServiceNow. 

 

We would like to make all users inactive automatically soon after creating in ServiceNow. We have would like to exempt few users who are admins. 

 

We would like to automate this at Servicenow level not in Azure level. 

 

We are fine even if not best practice, because we will deactivate it after go live.  

0 Helpfuls
  • 976 Views
1 ACCEPTED SOLUTION

Go to solution
Martin Ivanov
Giga Sage
Giga Sage

‎03-14-2022 08:20 AM

Hi. This could be achieved via business rule (if you want to make them inactive immediately) or with fix script if you want to do it manually afterwards. You can do it with a scheduled job that you will execute on demand. Doesn't matter. 

The key thing is how you distinguish the admins - is it by an admin role in ServiceNow or some other criteria? Another option can be a list of sys_ids of the selected users or some key attribute.

If you answer this, I'll be able to provide you with the script.

Please Mark Correct AND Helpful. Thanks!

Martin Ivanov
2022 Community Rising Star


Please mark Correct and click the Thumb up if my answer helps you resolve your issue. Thanks!
Martin Ivanov
ServiceNow MVP 2023, 2024

View solution in original post

2 REPLIES 2

Go to solution
Martin Ivanov
Giga Sage
Giga Sage

‎03-14-2022 08:20 AM

Hi. This could be achieved via business rule (if you want to make them inactive immediately) or with fix script if you want to do it manually afterwards. You can do it with a scheduled job that you will execute on demand. Doesn't matter. 

The key thing is how you distinguish the admins - is it by an admin role in ServiceNow or some other criteria? Another option can be a list of sys_ids of the selected users or some key attribute.

If you answer this, I'll be able to provide you with the script.

Please Mark Correct AND Helpful. Thanks!

Martin Ivanov
2022 Community Rising Star


Please mark Correct and click the Thumb up if my answer helps you resolve your issue. Thanks!
Martin Ivanov
ServiceNow MVP 2023, 2024

Go to solution
_ChrisHelming
Tera Guru

‎03-14-2022 08:26 AM

What's your use case? To prevent users from logging in before you're live or to prevent users from logging in to a sub-prod instance or something else?

If that's your use case I'd recommend looking into adding some logic to one of the MultiSSO_SAML2 scripts to check if the user belongs to a specific group (like create a group called "sn_subprod_access") or has the admin role and if not return "failed_authentication" to prevent them from logging in.

If you mark all/most users as inactive you'll end up having a hard time testing, since you can't see inactive users by default, and impersonating to perform your tests.