Sync "Account Expired" UserAccountControl to Azure AD (AccountEnabled)
Consider adding support for disabling user accounts in Azure Active Directory when the account is expired in the local Active Directory. Currently you recommend that customers create a PowerShell script that disable user accounts in Active Directory to support this scenario.
I would prefer that a rule be added to Azure Active Directory Connect that automatically changes AccountEnabled to false, if the users account expires in the local Active Directory.
Aaron posted a great workaround solution:
We would like something built-in Active AD Connect that solves this out of the box
We are currently investigating how to implement this. The expiration status is not a directory attribute so it is not straight forward how to sync it.
Rob de Jong (Azure AD IAM) commented
We advise customer who need this functionality today to switch their authentication method to Pass Thru Authenitcation. This is the only way to enforce that whatever password policies and states exist on prem will be used to validate a sign in request in AAD.
There is no plan today to sync password expiration state (or disabled or lockout state, for that matter) from on premises AD to AAD>
Please reach out to me or comment here to let me know if PTA is not a good solution for your customer.
I too would like a way to EXPIRE the password, not DISABLE the account. Disabling the account is more dangerous and would require administrator/help desk to re-enable the account instead of the password just being expired and the user changing it.
PowerShell script that disables the user's Azure AD account based on expired accounts in Active Directory:
Some great feedback I got:
Feedback: An expired account isn't a "real" attribute in AD so Connect by itself cannot do it. That is why PTA was introduced. The only other option for password sync would be to sync the attribute as-is and let Azure AD evaluate the date and not allow sign-in when it has expired.
Feedback from Andreas!
@Chun Yong Chua.
Azure = Active :)