How-to: Disabling Office 365 and OX Access for Students

Knowledge Base Community
, , , , ,
1

HowTo: Disabling Office 365 and OX Access for Students via UCS Attribute Modification

Overview:

Students (or specific user groups) should no longer have access to Microsoft 365 (M365) and/or Open-Xchange (OX) App Suite.
The UCS to Microsoft 365 / OX connection itself should remain intact for other users, but targeted user groups need to be disconnected.

Environment:

  • UCS environment with active connections to:

    • Microsoft 365 (via Univention Office 365 Connector)
    • OX App Suite

  • Users managed in UCS@school with defined ucsschoolRole attributes (e.g., student:school:<OU>).

  • Synchronization to Azure Active Directory enabled.

Step 1 – Identify the Target User Role

Determine the role string (ucsschoolRole) of the affected group. Example:

univention-ldapsearch -LLL uid=<username> ucsschoolRole

Example output:

dn: uid=max.muster,cn=schueler,cn=users,ou=mejneschool2,dc=ucs5schoolhejne,dc=intranet
ucsschoolRole: student:school:mejneschool2

This value can be used as TARGET_ROLE in the script below.

Step 2 – Disable Access via Attribute Modification

Create the script /root/disable_services.sh with the following content:

disable_services.sh (767 Bytes)

#!/bin/bash

# Define the role to search for
TARGET_ROLE="student:school:mejneschool2"

echo "Searching for users with role: ${TARGET_ROLE}"
echo "-----------------------------------------------------"

univention-ldapsearch "ucsschoolRole=${TARGET_ROLE}" dn | \
grep '^dn: ' | \
sed 's/^dn: //' | \
while IFS= read -r user_dn
do
  if [ -n "$user_dn" ]; then
    echo "Processing user: ${user_dn}"
    udm users/user modify --dn "${user_dn}" \
      --set isOxUser=Not \
      --set UniventionOffice365Enabled=0
    
    if [ $? -eq 0 ]; then
      echo "User successfully disabled for OX and M365."
    else
      echo "ERROR modifying user: ${user_dn}" >&2
    fi
    echo "-----------------------------------------------------"
  fi
done

echo "Script completed."

Usage

  • chmod +x /root/disable_services.sh
  • ./root/disable_services.sh

This sets:

  • isOxUser=Not → disables OX access
  • UniventionOffice365Enabled=0 → disables Microsoft 365 access

Step 3 – Synchronization with Azure AD

  • Users are disabled and renamed in Azure AD (prefix: ZZZ_deleted).
  • Licenses are automatically removed and can be reassigned.
  • Objects starting with ZZZ_deleted can be manually deleted in the Microsoft 365 Admin Center if required.

Step 4 (Optional) – Removing the Azure AD Connection (Optional)

Check for existing UCR variables:

ucr search --brief office365

Unset unnecessary variables:

ucr unset <Variable>

Remove alias connections if configured:

ls -lah /etc/univention-office365
/usr/share/univention-office365/scripts/manage_adconnections remove <AliasConnection>

For details, see:
Problem: Office 365 AADSTS700027 - Certificate with identifier not registered

Notes

  • Always test with a single user before applying changes broadly.
  • Ensure the correct TARGET_ROLE or OU is specified.
  • The UCS connection to Microsoft 365 / OX remains available for other groups.
  • This procedure provides a clean and efficient way to disable M365 and OX access for specific users without disrupting the overall UCS integration.

:white_check_mark: With this approach, administrators can efficiently disconnect students (or other roles) from Microsoft 365 and OX App Suite by modifying UCS attributes, ensuring a consistent and secure state.