Set an AzureAD account to expire on a specified date
Just like in active directory allow accounts to be set to expire on a specified date. Our company policy is to set network accounts for non-employees (consultants, contractors, temporary employees, interns) to expire at a certain interval after they are created. We want the same functionality within Office 365.
Thank for letting us know this is important to you. This is something we are considering, but there is no timeline yet. We would love to hear more about the specific scenarios that this is needed for, so keep providing info.
Jim Mendolera commented
This feature is critical to keeping security tight. This was a key tool for contractor accounts.
Perhaps we will receive some good news on the 5th year anniversary of this request?
We need it to for NIST 800-171.
Please fix this.
pretty hard to believe that this necessary piece for account management is not already part of Azure/365
Allan Binderup commented
I definitely want this. (And quite surprised the feature isn't there already as I have been using this in on-premises AD for years!)
Danny M commented
This would be of significant benefit to my company (a large financial services organisation) as we have AzureAD-only user management and have a significant turnover of contracted workers.
Being able to set these users' accounts to expire on their contract end date (and thus audit who's coming up for their contract end) would be great for us.
Jon Scriven commented
On our internal AD, we use expiry date so that when we create accounts they all expire after a certain amount of time (particularly for volunteer workers and supplier accounts). This means that internally you can't sign in with the account once that date has passed till the expiry date is updated. However, these people are still able to sign in using Azure AD, so it does not have the desired effect. We would like expired accounts in internal AD to be honoured as part of AD Connect sync so that they are expired in Azure AD too.
Michael Nicol commented
This is going to become critical soon. I'm a GCC tenant, and my company is part of the military industrial manufacturing base. Moving forward we will need to be CMMC Level 3 compliant to be able to bid on new government contracts. One of the NIST 800-171 controls, which focuses on identity lifecycle management, stipulates that accounts that have been inactive for xx days must be removed from the system... Please escalate this to be certain that this story makes it on-the-board during your next planning initiative.
a valued Microsoft customer
Please add this feature as soon as possible. It's required!
This is an important and missing security feature! I'd like to see it honor the on prem settings for sync'd accounts and allow an independent property for AAD only accounts.
Ricardo Gamito commented
we need the AAD to expire user accounts in the same way that user accounts expire on-premises. a user who expires the account is unable to access the on-premises systems but at the AAD he is still able to access.
Luis Sousa commented
IT would be great if AADConnect could block the synced account on Azure AD when the "Account Expired Date" is overdue, to ensure the account is in a synced status not allowing expired accounts to logon to Azure AD
Amilcar Gaspar commented
Need Azure AD to expire users account in the same way it expires on-premises.
we have expired AD users accounts that are not supposed to continue to have access but in Azure AD they continue to login.
That its a big problem that seeems to be a Microsoft Bug.
This option (set expiration date) is very, very useful. Please return it in AAD.
I don't understand the need for this feature, i.m.h.o. this would just alleviate a weakness in whatever system or process these accounts are sourced from, which is where the expiration should be managed.
ie; a contractor should be disabled when the contract ends, IF it ends. The contract isn't specified in AzureAD but in an HR system/process. Most tools support an API or integration which connects to AzureAD.
AzureAD already has access review features for groups and accounts, which also integrates with PowerAutomate.
So, I would argue: fix your process or source system, don't put a band-aid on it using AzureAD account expiration.
Please to provide this option on the next update also seting a review date like on guest users would be nice
For service accounts also.
David Chambers commented
I find it incredible that there si no timeline on this and is only being considered. Along with this is also being able to add a start date from when the account is active. By not having this it creates a situation where ou have to run daily tasks to create accounts when you want them active. It would be great if the 'don't allow signin' could be used for this so that accounts can be created prior to the start date but still have good governance by not allowing sign in before that date.
Why doesn't this already exist in Azure AD when you have in AD On-Prem.
Also, @Azure AD Team, why do you need specific scenarios for this request. They are the same as On-Prem.
Same wish here