Sync "Account Expired" UserAccountControl to Azure AD (AccountEnabled)
Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.
I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.
Aaron posted a great workaround solution:
We would like something built-in Active AD Connect that solves this out of the box
We are currently investigating how to implement this. The expiration status is not a directory attribute so it is not straight forward how to sync it.
Yes, I agree that Aaron's work around is perfect except one thing, though.
In his script at https://blogs.technet.microsoft.com/undocumentedfeatures/2017/09/15/use-aad-connect-to-disable-accounts-with-expired-on-premises-passwords/
What is that "info" attribute that he is using in differentiating the disabled accounts ?
I do not see such "info" attribute in the MS-graph user-schema.
Is there an update on this? We have a fairly active environment and ended up running manual scripts to disable accounts.
Sarkis Missakian commented
We are using Pass-Through Authentication in AzureAD Connect, but I can confirm that if a user's account is set to expire, they are still able to access cloud resources (O365) if the session was saved in the browser. "Stay signed in"
Everything I have read says that if Pass-through Authentication is used, this should not happen. I have set Password Hash to disabled, Pass-through is enabled with 3 agents inside our network (on-prem domain joined servers) If a user is connected directly to the LAN or connected to our VPN, the outcome is expected. But if a remote user is accessing O365 via web browser with no connection to the VPN, they are still able to access cloud resources in the browser long after the account expired. This only occurs if they have a saved session. If they try to initiate a new session by logging in, it is only then that the expected outcome occurs. They will receive "Your account is temporarily locked out to prevent unauthorized use"
Why is Pass-through Authentication not working for us as expected?
We are currently investigating this feature.
Another Azure client here, waiting for AD Connect to disable Azure AD account once they expire on-prem.
Any update on when this will work? Many companies are anxious to have the sync of account expired, account lockout, forced lockout, other attribute on prem AD to sync via aadconnect to AAD.
Steve Whitcher commented
@Rob de Jong - I think you misunderstood the request. This is not about AD password expiration. This is for account expiration -- In on-prem AD, we can set an account to expire on a specified date. After that date, the user would not be able to sign in. When this happens, AzureAD should block sign in for the account as well, just as it does if the on-prem account is disabled.
Rob Angell commented
We are trying to move away from AD FS and PTA to reduce reliance on our on-prem environment.
It would be great to get Account Expired synced up and honored in Azure AD via Connect.
Rob de Jong (Azure AD IAM) commented
We advise customer who need this functionality today to switch their authentication method to Pass Thru Authenitcation. This is the only way to enforce that whatever password policies and states exist on prem will be used to validate a sign in request in AAD.
There is no plan today to sync password expiration state (or disabled or lockout state, for that matter) from on premises AD to AAD>
Please reach out to me or comment here to let me know if PTA is not a good solution for your customer.
I too would like a way to EXPIRE the password, not DISABLE the account. Disabling the account is more dangerous and would require administrator/help desk to re-enable the account instead of the password just being expired and the user changing it.
PowerShell script that disables the user's Azure AD account based on expired accounts in Active Directory:
Some great feedback I got:
Feedback: An expired account isn't a "real" attribute in AD so Connect by itself cannot do it. That is why PTA was introduced. The only other option for password sync would be to sync the attribute as-is and let Azure AD evaluate the date and not allow sign-in when it has expired.
Feedback from Andreas!
@Chun Yong Chua.
Azure = Active :)