question

IanFuchs-5594 avatar image
0 Votes"
IanFuchs-5594 asked ·

Sync “sign-in blocked”/“account disabled” status from AAD to On-premise AD

We run a hybrid environment with accounts being generated on-premise and synced to AAD for Office365.

We also have Password writeback working to allow password changes from AAD to replicate locally for consistency.

The issue we have is with sign-in blocked/disabled accounts.

If an account is disabled on-premise, the status is synced to AAD to prevent logins, which is the desired result ... BUT if an account is disabled in AAD, the next sync between on-premise and cloud will re-enable to account in AAD, restoring sign-in access for the account.

This poses an issue as we occasionally need to lock down an account (typically a compromised email account, attempting to spam others).

How can the sign-in allowed/blocked status be synced from AAD to on-premise (or bi-directionally)?

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

michev avatar image
0 Votes"
michev answered ·

There is no bi-directional sync, you will have to block in on-premises.

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

☹️

that’s not the answer I was hoping for...

0 Votes 0 · ·