Sync "Account Expired" UserAccountControl to Azure AD (AccountEnabled)
Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.
I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.
Aaron posted a great workaround solution:
https://blogs.technet.microsoft.com/undocumentedfeatures/2017/09/15/use-aad-connect-to-disable-accounts-with-expired-on-premises-passwords/
We would like something built-in Active AD Connect that solves this out of the box
We are currently investigating how to implement this. The expiration status is not a directory attribute so it is not straight forward how to sync it.
24 comments
-
Dustin Hyatt
commented
Going on two years of planning... can we get an update from MS on this?
-
Nly
commented
This is a severe security breach... offboarding is a too many steps without this
-
Michael Levine
commented
This would be a great option to add. This is a security issue.
-
Anonymous
commented
We just had expired AD user account logging in to AAD and Office 365 just fine...even though the account were expired in AD they could keep using all services in the cloud. This is a severe security breach...
The reality is that AAD Connect and a hybrid setup still is the most common model, so its surprising to not have anything in place to manage this.
We use Microsoft Defender for Identity (Azure ATP) in our onprem AD and this does not pick this up either... -
Anonymous
commented
There is no way for Azure AD Connect to read AccountExpired attribute correctly and below articles that describe a potential solution to this problem are wrong:
https://happyts.tech/accountexpiry-step1/
https://myserverissick.com/2019/01/how-to-make-azure-ad-connect-disable-expired-accounts/We have tested it in my company and yes, it works if you set up an expiry date for an account in the past, but will not work for accounts that have expiry date set up in the feature. This attribute will not change on the day of account expiration, hence AADC will not be able to detect a change.
-
AkosR
commented
You can probably have a look on the following workaround:
https://happyts.tech/accountexpiry-step1/ -
Amilcar Gaspar
commented
We have the same Problem in my Company.
When Microsoft expect to implement "Sync "Account Expired" UserAccountControl to Azure AD" ? -
Shane Foley
commented
Hi there (again),
any chance if an update on this - last entry is "Planned @ Aug 16, 2019".... must be a fairly sizeable plan ;)Thanks,
Shane. -
Akos Regi
commented
AAD Connect can synchronize changes on objects. If the account Expires is reached, there is usually no change on the object itself => there is nothing to synchronize. I think, this feedback should be raised for the Windows Directory Services team to ask them, to implement an internal AD trigger, where the accountExpires would disable the account if the time of expiry is reached….
-
Anonymous
commented
https://myserverissick.com/2019/01/how-to-make-azure-ad-connect-disable-expired-accounts/
--------------------------------------------------------------------------------------------------------------------------------------------------------------------
1. Open the Sync Rules Editor and add a new Inbound rule. Give it an appropriate title, and set the precedence to something smaller than 100 so that it is a higher priority than the built-in rules.2. Click next and create 4 clauses as below.
accountExpires : ISNOTNULL (ignore accounts without an expiry value)
userAccountControl : ISBITNOTSET : 2 (ignore disabled accounts)
accountExpires : GREATERTHAN : 0 (ignore non-expiring accounts)
accountExpires : LESSTHAN : 9223372036854775807 (ignore non-expiring accounts)3. Click next twice and add a transformation as below.
Expression : accountEnabled : IIF(([accountExpires])<NumFromDate(Now()),False,NULL)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------- -
Andy Swiffin
commented
This and password expiry have been a glaring lack for years now!!
We turn an account expiry into an account disabled using MIM but we shouldn't be having to do this.
-
chirag
commented
Yes, I agree that Aaron's work around is perfect except one thing, though.
In his script at https://blogs.technet.microsoft.com/undocumentedfeatures/2017/09/15/use-aad-connect-to-disable-accounts-with-expired-on-premises-passwords/
What is that "info" attribute that he is using in differentiating the disabled accounts ?I do not see such "info" attribute in the MS-graph user-schema.
-
Anonymous
commented
Is there an update on this? We have a fairly active environment and ended up running manual scripts to disable accounts.
-
Sarkis Missakian
commented
We are using Pass-Through Authentication in AzureAD Connect, but I can confirm that if a user's account is set to expire, they are still able to access cloud resources (O365) if the session was saved in the browser. "Stay signed in"
Everything I have read says that if Pass-through Authentication is used, this should not happen. I have set Password Hash to disabled, Pass-through is enabled with 3 agents inside our network (on-prem domain joined servers) If a user is connected directly to the LAN or connected to our VPN, the outcome is expected. But if a remote user is accessing O365 via web browser with no connection to the VPN, they are still able to access cloud resources in the browser long after the account expired. This only occurs if they have a saved session. If they try to initiate a new session by logging in, it is only then that the expected outcome occurs. They will receive "Your account is temporarily locked out to prevent unauthorized use"
Why is Pass-through Authentication not working for us as expected?
-
We are currently investigating this feature.
-
Simon
commented
Another Azure client here, waiting for AD Connect to disable Azure AD account once they expire on-prem.
-
Julie
commented
Any update on when this will work? Many companies are anxious to have the sync of account expired, account lockout, forced lockout, other attribute on prem AD to sync via aadconnect to AAD.
-
Steve Whitcher
commented
@Rob de Jong - I think you misunderstood the request. This is not about AD password expiration. This is for account expiration -- In on-prem AD, we can set an account to expire on a specified date. After that date, the user would not be able to sign in. When this happens, AzureAD should block sign in for the account as well, just as it does if the on-prem account is disabled.
-
Rob Angell
commented
We are trying to move away from AD FS and PTA to reduce reliance on our on-prem environment.
It would be great to get Account Expired synced up and honored in Azure AD via Connect. -
Rob de Jong (Azure AD IAM)
commented
We advise customer who need this functionality today to switch their authentication method to Pass Thru Authenitcation. This is the only way to enforce that whatever password policies and states exist on prem will be used to validate a sign in request in AAD.
There is no plan today to sync password expiration state (or disabled or lockout state, for that matter) from on premises AD to AAD>Please reach out to me or comment here to let me know if PTA is not a good solution for your customer.