question

Rahul-7230 avatar image
0 Votes"
Rahul-7230 asked JeremyTBradshaw edited

Set users status as disabled in Azure AD for account which got expired in on-prem AD when using Password Hash Sync method

Hi Team,

We are using Password Hash Sync authentication model in AD connect. Since we are using Password Hash Sync we know there's a drawback of it i.e. Account Expired / Password Expired scenarios are not available out of the box.

Let me know if there's a solution within Password Hash Sync method only to set the user status as Disabled if user account expired in on-prem AD. ( Please don't suggest on switching to ADFS or PassThrough Authentication I'm aware of there capabilities)

Any best practices and solution for PassHash Sync method to disable account which got expired in on-premises ?

I have read about EnforceCloudPasswordPolicyForPasswordSyncedUsers feature which is for Password Expiration scenario not for Account Expiration. Reference1 Reference2

Any suggestion on simplest way to achieve the above via AAD Connect Rule ?



azure-active-directoryazure-ad-connectazure-ad-password-hash-sync
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, do you still require assistance? If not, please mark the answer as verified.

Thank you,
James

0 Votes 0 ·
vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered

@Rahul-7230 We already have a uservoice for this particular scenario. You can use it to upvote and share your feedback as well. As a work around you can create a custom PowerShell script which will specifically look for disabled user accounts in local AD and then use that information to change the status on AAD.

You can use the information on this article to create a similar use case for disabled account. The article talks about expired password but we can use the idea for disabled accounts as well. If that does not help, any custom PowerShell script would do the job for you as unfortunately there is no direct built in way of doing it right now.


If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

seruken avatar image
0 Votes"
seruken answered JeremyTBradshaw edited

We currently implemented this in our environment.

We used Azure Connect Rules Editor using following the steps below

https://myserverissick.com/2019/01/how-to-make-azure-ad-connect-disable-expired-accounts/

· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi seruken - just so you know I'm the author of the article you linked (thanks for that!) and I've just updated it to mention that if you use my method you also have to run a regular full sync for it to work properly - I simply scripted a "Start-ADSyncSyncCycle -PolicyType:Initial" so it runs every month which was enough for my uses.

0 Votes 0 ·

Does this method re-enable accounts when the expire date is changed? I have users that regularly expire on July 1 every year. Once they submit their form to HR their expire date gets pushed out another year. I'm wondering if the date passes and these accounts expire and are disabled via this rule, would they get re-enabled when the date is moved to the future?

I did see the comment below saying I have to run a full sync to get this working which is fine with me.

0 Votes 0 ·

Sure if the expiry date changes then AADC will see it as a change to an attribute and re-calculate the effects of the rule against that user, and if the expiry is changing to a date in the future then the account will get re-enabled as you're probably hoping for. But yeah you'd still have to actually run a full sync if you want the accounts to actually get disabled of course.

0 Votes 0 ·

Regarding the Full Sync part of your comment, is that just a one time thing for existing expired accounts, or does that custom sync rule require Full Sync every/any time we want to disable expired accounts? In other words, will Delta Sync be fine for the go-forward, net-newly expired accounts?

Edit: I had the necessary epiphany. I'm leaving my comment rather than deleting in case it helps anyone else.

The reason we need to do the Full/Initial sync type even on a go-forward basis is that the AccountExpires property is generaly going to be set in advance, but when the date comes, nothing on the account itself changes, and therefore there is nothing triggered in AAD Connect, so no changes to be included in a Delta Sync.

The only scenario I can think of where a Delta Sync would work is if we pseudo-disable an account by setting it's expiry date to some past date. The act of making the change on the account would trigger inclusion in the next Delta Sync, and as long as the date lines up with the custom sync rule's logic, the AAD account should become disabled. But otherwise, we'd need to do periodic Full/Initial Sync's to capture all the accounts that have reached their expiration dates since the last Full/Initial Sync.

0 Votes 0 ·
Show more comments

Hi Seruken, needscoffee.

I am facing the same issue.
The link is not working https://myserverissick.com/2019/01/how-to-make-azure-ad-connect-disable-expired-accounts/
Is there any other link to access the solution.

Regards,
Mukesh

0 Votes 0 ·