Hello again,
I was experimenting these days using Azure AD Connect, the tool that let's you synchronize your on-premises AD accounts to Azure AD. So I thought: what happens when you have some disabled user accounts in your on-premises AD environment? Do you really need them to synchronize?
Probably not.
So we'll see what you have to do in case you don't want to bring up to Azure AD your disabled user accounts.
Please read the rest of the article here.
spanougakis just know that when you do this you will stop syncing all your shared, room, and equipment user accounts/mailboxes. You need to sync some disabled user accounts so your query should account for those in some way. This is why people usually just exclude an OU where you move your users to exclude them from sync. A better solution, if your admin team can handle it, is to use attribute filtering so you don't need to move people between OUs to exclude them from syncing to Azure AD.
Brian Kronberg that’s correct! I am looking for some custom AAD rule which hide the non-exchange users from GAL instead of putting them in ‘Deleted Users’. Any suggestions?
spanougakis I have done as per your write up but I still see the disabled account online.
Thanks for posting this. I just installed the latest version of Azure AD Connect on Windows Server 2016 and it worked instantly. We have automated automatically disabling our accounts after a certain period of time so now only active accounts appear in Azure AD making things easier to manage.
That one is easy though, I'd love to see more tricky examples published on docs.com or your blog. For example locked out accounts, or expired ones, or similar :)
Regarding the expired or locked out accounts, it's already there, if you go through the article:
"Select useraccountcontrol for the Attribute and then select the ISBITSET operator with a value of 2 (If you want to know what is really this value, take a look here: https://support.microsoft.com/en-us/kb/305144)".
