AD Account Status & Azure AD Connect Sync – expired accounts

I was asked to perform some testing on the status of local AD user accounts vs. the status of synched Azure AD accounts.

Setup

  • Local Active Directory (single forest, single domain) – Windows 2012 R2 DCs.
  • Azure AD Connect (v1.1.614.0).  Password Synchronisation & SSO.

Findings

User accounts are created in Azure AD regardless of the local AD account status (e.g. disabled, expired, hidden from Exchange address lists).

Sign-in to Office 365 or other services that authenticate against Azure AD is denied if the local AD account status is disabled or has the ‘User must change password at next logon’ flag set.  If a disabled account is re-enabled, or the user changes their password to clear the ‘User must change password at next logon’ flag, these are synched to Azure AD (by default every 30 minutes), and sign-in is allowed.

X500 Azure AD Sync - Disabled

When a local AD account expires (i.e. the expiry date set on a local AD account is reached), they can still sign into Office 365 or other services that authenticate against Azure AD.  I wasn’t expecting this outcome, this is not good, especially in an organisation with a high overturn of temporary personnel on fixed term contracts.

X500 Azure AD Sync - Expired

When a local AD account is deleted, it is removed from Azure AD, and users cannot sign-in.

Expired Accounts

So a user who’s account has expired will still be able to login to Office 365 and other services that authenticate against Azure AD.

I tried creating a custom sync rule in Azure AD Connect to filter users with expired accounts, filtering on accountExpires (attribute based filtering) with a date function.  However, this returned unexpected results unless you run a full synchronisation every time.

The solution is to look for expired AD accounts, and set them to disabled.  The following one-liner PowerShell command does the trick:

Search-ADAccount -AccountExpired -UsersOnly | Where-Object {$_.Enabled} | Disable-ADAccount

Test Steps

User: ADTestUser1@x500.co.uk

Initial creation status: 
‘User must change password at next logon’ enabled.
Azure AD: synced OK [Expected]
Sign-in status: Sign-in allowed [Expected]
Sign-into Office 365 test: not allowed (“we don’t recognize this user ID or password”[Expected]

Modification: cleared ‘User must change password at next logon’ flag.

Picked up in next Azure AD Sync (every 30 mins).

Sign-into Office 365 test: accessible [Expected]

User: ADTestUser2@x500.co.uk

Initial creation status: account is disabled.
Azure AD: synched OK [Expected]
Sign-in status: Sign-in blocked [Expected]
Sign-into Office 365 test: not allowed (“we don’t recognize this user ID or password”[Expected]

Modification: removed ‘disabled’ flag.

Picked up in next Azure AD Sync (every 30 mins).

Sign-in status: Sign-in allowed [Expected]
Sign-into Office 365 test: accessible [Expected]

User: ADTestUser3@x500.co.uk

Initial creation status: hidden from Exchange Address Lists.
Azure AD: synched OK [Expected]
Sign-in status: Sign-in allowed [Expected]
Sign-into Office 365 test: accessible [Expected]

User: ADTestUser4@x500.co.uk

Initial creation status: account expires flag set to 25th September 2017.
Azure AD: synched OK.
Sign-in status: Sign-in allowed [Not Expected]
Sign-into Office 365 test: accessible [Not Expected]

Modification: account disabled.

Picked up in next Azure AD Sync (every 30 mins).

Sign-in status: Sign-in blocked [Expected]
Sign-into Office 365 test: not allowed (“Your account has been locked”) [Expected]

Modification: unlocked account, set expiry to 26th September 2017.

Picked up in next Azure AD Sync (every 30 mins).

Sign-in status: Sign-in allowed [Expected]
Sign-into Office 365 test: accessible [Expected]

Modification: account disabled.

Picked up in next Azure AD Sync (every 30 mins).

Sign-in status: Sign-in blocked [Expected]

Modification: deleted from AD.

Deleted status in Azure AD.
Cannot sign in [Expected] 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s