How can we improve Azure Active Directory?

← Azure Active Directory

Sync "Account Expired" UserAccountControl to Azure AD (AccountEnabled)

Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.

I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.

Aaron posted a great workaround solution:
https://blogs.technet.microsoft.com/undocumentedfeatures/2017/09/15/use-aad-connect-to-disable-accounts-with-expired-on-premises-passwords/

We would like something built-in Active AD Connect that solves this out of the box

182 votes
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Peter Selch Dahl shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

14 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Andy Swiffin commented  ·   ·  Flag as inappropriate

    This and password expiry have been a glaring lack for years now!!

    We turn an account expiry into an account disabled using MIM but we shouldn't be having to do this.

  • chirag commented  ·   ·  Flag as inappropriate

    Yes, I agree that Aaron's work around is perfect except one thing, though.

    In his script at https://blogs.technet.microsoft.com/undocumentedfeatures/2017/09/15/use-aad-connect-to-disable-accounts-with-expired-on-premises-passwords/
    What is that "info" attribute that he is using in differentiating the disabled accounts ?

    I do not see such "info" attribute in the MS-graph user-schema.

  • Anonymous commented  ·   ·  Flag as inappropriate

    Is there an update on this? We have a fairly active environment and ended up running manual scripts to disable accounts.

  • Sarkis Missakian commented  ·   ·  Flag as inappropriate

    We are using Pass-Through Authentication in AzureAD Connect, but I can confirm that if a user's account is set to expire, they are still able to access cloud resources (O365) if the session was saved in the browser. "Stay signed in"

    Everything I have read says that if Pass-through Authentication is used, this should not happen. I have set Password Hash to disabled, Pass-through is enabled with 3 agents inside our network (on-prem domain joined servers) If a user is connected directly to the LAN or connected to our VPN, the outcome is expected. But if a remote user is accessing O365 via web browser with no connection to the VPN, they are still able to access cloud resources in the browser long after the account expired. This only occurs if they have a saved session. If they try to initiate a new session by logging in, it is only then that the expected outcome occurs. They will receive "Your account is temporarily locked out to prevent unauthorized use"

    Why is Pass-through Authentication not working for us as expected?

  • Simon commented  ·   ·  Flag as inappropriate

    Another Azure client here, waiting for AD Connect to disable Azure AD account once they expire on-prem.

  • Julie commented  ·   ·  Flag as inappropriate

    Any update on when this will work? Many companies are anxious to have the sync of account expired, account lockout, forced lockout, other attribute on prem AD to sync via aadconnect to AAD.

  • Steve Whitcher commented  ·   ·  Flag as inappropriate

    @Rob de Jong - I think you misunderstood the request. This is not about AD password expiration. This is for account expiration -- In on-prem AD, we can set an account to expire on a specified date. After that date, the user would not be able to sign in. When this happens, AzureAD should block sign in for the account as well, just as it does if the on-prem account is disabled.

  • Rob Angell commented  ·   ·  Flag as inappropriate

    We are trying to move away from AD FS and PTA to reduce reliance on our on-prem environment.
    It would be great to get Account Expired synced up and honored in Azure AD via Connect.

  • Rob de Jong (Azure AD IAM) commented  ·   ·  Flag as inappropriate

    We advise customer who need this functionality today to switch their authentication method to Pass Thru Authenitcation. This is the only way to enforce that whatever password policies and states exist on prem will be used to validate a sign in request in AAD.
    There is no plan today to sync password expiration state (or disabled or lockout state, for that matter) from on premises AD to AAD>

    Please reach out to me or comment here to let me know if PTA is not a good solution for your customer.

  • Anonymous commented  ·   ·  Flag as inappropriate

    I too would like a way to EXPIRE the password, not DISABLE the account. Disabling the account is more dangerous and would require administrator/help desk to re-enable the account instead of the password just being expired and the user changing it.

  • Peter Selch Dahl commented  ·   ·  Flag as inappropriate

    Some great feedback I got:

    Feedback: An expired account isn't a "real" attribute in AD so Connect by itself cannot do it. That is why PTA was introduced. The only other option for password sync would be to sync the attribute as-is and let Azure AD evaluate the date and not allow sign-in when it has expired.

    Feedback from Andreas!

    @Chun Yong Chua.

Azure Active Directory: Azure AD Connect

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice