Set users status as disabled in Azure AD for account which got expired in on-prem AD when using Password Hash Sync method

Rahul 236

Hi Team,

We are using Password Hash Sync authentication model in AD connect. Since we are using Password Hash Sync we know there's a drawback of it i.e. Account Expired / Password Expired scenarios are not available out of the box.

Let me know if there's a solution within Password Hash Sync method only to set the user status as Disabled if user account expired in on-prem AD. ( Please don't suggest on switching to ADFS or PassThrough Authentication I'm aware of there capabilities)

Any best practices and solution for PassHash Sync method to disable account which got expired in on-premises ?

I have read about EnforceCloudPasswordPolicyForPasswordSyncedUsers feature which is for Password Expiration scenario not for Account Expiration. Reference1 Reference2

Any suggestion on simplest way to achieve the above via AAD Connect Rule ?

James Hamil 21,851 Reputation points Microsoft Employee

2020-11-26T00:45:25.953+00:00

Hi, do you still require assistance? If not, please mark the answer as verified.

Thank you,
James

2 answers

VipulSparsh-MSFT 16,231 Reputation points Microsoft Employee

2020-11-05T09:19:49.153+00:00

@Rahul We already have a uservoice for this particular scenario. You can use it to upvote and share your feedback as well. As a work around you can create a custom PowerShell script which will specifically look for disabled user accounts in local AD and then use that information to change the status on AAD.

You can use the information on this article to create a similar use case for disabled account. The article talks about expired password but we can use the idea for disabled accounts as well. If that does not help, any custom PowerShell script would do the job for you as unfortunately there is no direct built in way of doing it right now.

-----------------------------------------------------------------------------------------------------------------

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Serugo Kenneth 1 Reputation point

2021-03-19T15:48:29.553+00:00

We currently implemented this in our environment.

We used Azure Connect Rules Editor using following the steps below

https://myserverissick.com/2019/01/how-to-make-azure-ad-connect-disable-expired-accounts/
Please sign in to rate this answer.
NickC 1 Reputation point

2021-06-10T11:58:34.687+00:00

Hi seruken - just so you know I'm the author of the article you linked (thanks for that!) and I've just updated it to mention that if you use my method you also have to run a regular full sync for it to work properly - I simply scripted a "Start-ADSyncSyncCycle -PolicyType:Initial" so it runs every month which was enough for my uses.

B Fox 1 Reputation point

2021-07-23T19:23:47.46+00:00

Does this method re-enable accounts when the expire date is changed? I have users that regularly expire on July 1 every year. Once they submit their form to HR their expire date gets pushed out another year. I'm wondering if the date passes and these accounts expire and are disabled via this rule, would they get re-enabled when the date is moved to the future?

I did see the comment below saying I have to run a full sync to get this working which is fine with me.

NickC 1 Reputation point

2021-07-23T19:56:43.853+00:00

Sure if the expiry date changes then AADC will see it as a change to an attribute and re-calculate the effects of the rule against that user, and if the expiry is changing to a date in the future then the account will get re-enabled as you're probably hoping for. But yeah you'd still have to actually run a full sync if you want the accounts to actually get disabled of course.

Mukesh Pawar 1 Reputation point

2022-01-19T16:29:21.113+00:00

Hi Seruken, needscoffee.

I am facing the same issue.
The link is not working https://myserverissick.com/2019/01/how-to-make-azure-ad-connect-disable-expired-accounts/
Is there any other link to access the solution.

Regards,
Mukesh

B Fox 1 Reputation point

2022-01-19T16:34:02.047+00:00

Try this one from the internet archive.

https://web.archive.org/web/20210206081439/https://myserverissick.com/2019/01/how-to-make-azure-ad-connect-disable-expired-accounts/

Mukesh Pawar 1 Reputation point

2022-01-20T14:08:33.773+00:00

Thanks

Jeremy Bradshaw 31 Reputation points

2022-04-07T15:37:46.4+00:00

Regarding the Full Sync part of your comment, is that just a one time thing for existing expired accounts, or does that custom sync rule require Full Sync every/any time we want to disable expired accounts? In other words, will Delta Sync be fine for the go-forward, net-newly expired accounts?

Edit: I had the necessary epiphany. I'm leaving my comment rather than deleting in case it helps anyone else.

The reason we need to do the Full/Initial sync type even on a go-forward basis is that the AccountExpires property is generaly going to be set in advance, but when the date comes, nothing on the account itself changes, and therefore there is nothing triggered in AAD Connect, so no changes to be included in a Delta Sync.

The only scenario I can think of where a Delta Sync would work is if we pseudo-disable an account by setting it's expiry date to some past date. The act of making the change on the account would trigger inclusion in the next Delta Sync, and as long as the date lines up with the custom sync rule's logic, the AAD account should become disabled. But otherwise, we'd need to do periodic Full/Initial Sync's to capture all the accounts that have reached their expiration dates since the last Full/Initial Sync.

B Fox 1 Reputation point

2022-04-07T15:45:52.877+00:00

You have to run a full sync every time for these changes to work. I have a full sync scheduled to run twice per day. If you are trying to change something on the fly you will have to manually trigger the sync.

Start-ADSyncSyncCycle -PolicyType Full

Peter Russell 1 Reputation point

2023-08-14T01:14:27.1833333+00:00

Has the issue described by Jeremy Bradshaw been addresses in anyway? Or do we still need to run the Initial instead of the Delta sync? Is there an official Microsoft approach to this yet?
Sign in to comment