#Clean up Any Deactivated Accounts

The Deactivated Account Cleaner feature allows you to remove deactivated accounts and non-existent AD accounts from your SharePoint Online environment and transfer their permissions to other available users using either Plan Mode or Scan Mode. See the topics below for more information.

The Deactivated Account Cleaner function does not support ADFS, so a deactivated or non-existent AD account’s provider user who is ADFS-Certificated cannot be searched for or deleted through the usage of Deactivated Account Cleaner in Administrator.

The Deactivated Account Cleaner feature also allows you to detect and remove external users from the sites where external sharing settings have been disabled.

#Use Plan Mode

To use the Plan Mode in Deactivated Account Cleaner, complete the following steps:

1. Select the Scope of the content (from group level to site collection level).

2. Click Security > Deactivated Account Cleaner > Plan Mode.

3. Enter a Plan Name for the plan. A default plan name in the format Deactivated Account Cleaner HH:MM:SS YYYY-MM-DD is provided.

   • Click Check next to the plan name to check whether the specified plan name is available. A green check mark indicates that the specified plan name is available. A warning message appears if the specified plan name already exists, and some suggested plan names are listed beneath.

   • Add an optional Description if desired.

4. Select the account types that you want to scan:

   • Deactivated user

   • Deleted user

   • Permanently deleted user

   • Deleted group

5. Select a previously created filter policy from the Filter Policy drop-down list. A filter policy allows you to search for deactivated accounts using certain conditions.

6. For the Verify Accounts before Deleting section, choose whether to verify the accounts in Job Monitor before deleting them. For security reasons, it is recommended that you verify accounts before deletion.

   • Yes – Enables you to view the accounts searched by Administrator in Job Monitor and clone permissions from these accounts to other available users instead of deleting them directly. This is the default option. For more information on operations in Job Monitor, refer to Use Scan Mode.

   • No – Removes the accounts directly. You can choose to Remove the deleted accounts from the site or to Remove the deactivated accounts from the site or both.

7. Select a scheduling option.

   • No Schedule – Select this option to run the plan immediately.

   • Configure the schedule myself – Select this option to configure a customized schedule in the Schedule Settings field, and run the job by schedule.

8. Select a previously created user notification profile from the E-mail Notification drop-down list. Or select New Notification to configure a new user notification. You can also select the Include the site collection administrators checkbox to send e-mails to the site collection administrators. You can click View to view the detailed information of the selected user notification profile.

9. When satisfied with your selections, click Save and Run Now or OK. The plan is now listed in Plan Manager.

#Use Scan Mode

Use Scan Mode to do a quick search, which lists all of the deactivated accounts in your selected scope. You can perform further operations on the scan results.

To use Scan Mode, complete the following steps:

1. Select the Scope of the content (from group level to site collection level).

2. Click Security > Deactivated Account Cleaner > Scan Mode. The Deactivated Account Cleaner Scan Mode interface appears.

3. Click the here link to start the scanning. The job can be viewed in the Job Monitor.

4. When the scan completes, select the job and click Deactivated Account Deletion in the Tools group on the ribbon. The Deactivated Account Deletion tab appears. The deactivated or non-existing active directory users within the specified scope are listed in the table.

   A user is marked with Unverified Account when the status of the user cannot be verified. This is most commonly caused by the disconnect to the domain where the user resides.

5. Select the deactivated accounts to remove.

   • To add or remove columns, click the manage buttons on the upper-left of the table. Select or deselect the columns as desired. Click OK to apply your selections.

   • Hide columns by placing the cursor over the relevant column name and clicking the hide the column button.

   • To quickly search a deactivated account, input the keywords into the Input Keyword field, and click the Search icon to start the search.

   • Initiate a search based on the content of a specific column by placing the cursor over the relevant column name, clicking the filter the column button, and inputting the content to search by.

   • Search all pages searches for a user across all pages, while Search current page searches for the user on the current page.

6. Determine the deactivated account whose permission you want to transfer. Enter the destination username under the Clone User Permissions column. Click the Check Names icon to verify the inputted usernames, or click Browse to browse through a list of names.

7. Click Next on the lower-right section of the page to access the Options for Cleaning Deactivated Accounts section.

8. Select a scheduling option.

   • No Schedule – Select this option to run the plan immediately.

   • Configure the schedule myself – Select this option to configure a customized schedule in the Schedule Settings field, and run the job by schedule.

9. Select a previously created user notification profile from the E-mail Notification drop-down list. Or select New Notification to configure a new user notification. You can also select the Include the site collection administrators checkbox to send e-mails to the site collection administrators. You can click View to view the detailed information of the selected user notification profile.

10. When satisfied with your selections, click OK.