Sync time for disabled account

Question

question

narayankumargupta asked · Dec 12, 2019 at 11:27 AM

Sync time for disabled account

Hi There,

If I disable any account in on-premises DC, does this syncs immediately like passwords?

If not, how can I make sure it does?

Cheers,
NG

azure-ad-connect

10 |1000 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 1 · 2019-12-12T12:10:56.47Z

michev answered · Dec 12, 2019 at 12:10 PM

No, it syncs like any other attribute, 30 mins by default. You can force a sync as detailed here: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler#start-the-scheduler

 Start-ADSyncSyncCycle -PolicyType Delta

Share

10 |1000 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2019-12-12T13:30:17.267Z

narayankumargupta answered · Dec 12, 2019 at 01:30 PM

Hi @michev.

But this is a security risk, isn't it? If we disable an account and it's still enabled in AzureAD so the leaver can still access the cloud resources especially when we have synced the password.

Cheers,
Narayan

1 Share

10 |1000 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev · Dec 12, 2019 at 03:41 PM

Not really, disabling the user doesn't stop access immediately anyway. The user will continue to have access for the validity of the access/refresh token. To speed things up, kill the refresh tokens, remove license and block email protocols.

0 · ·

question