We are currently investigating how to implement this. The expiration status is not a directory attribute so it is not straight forward how to sync it.Sarkis Missakian supported this idea ·
An error occurred while saving the commentSarkis Missakian commented
We are using Pass-Through Authentication in AzureAD Connect, but I can confirm that if a user's account is set to expire, they are still able to access cloud resources (O365) if the session was saved in the browser. "Stay signed in"
Everything I have read says that if Pass-through Authentication is used, this should not happen. I have set Password Hash to disabled, Pass-through is enabled with 3 agents inside our network (on-prem domain joined servers) If a user is connected directly to the LAN or connected to our VPN, the outcome is expected. But if a remote user is accessing O365 via web browser with no connection to the VPN, they are still able to access cloud resources in the browser long after the account expired. This only occurs if they have a saved session. If they try to initiate a new session by logging in, it is only then that the expected outcome occurs. They will receive "Your account is temporarily locked out to prevent unauthorized use"
Why is Pass-through Authentication not working for us as expected?