Disabled user in O365 hybrid envrionment

%3CLINGO-SUB%20id%3D%22lingo-sub-1206400%22%20slang%3D%22en-US%22%3EDisabled%20user%20in%20O365%20hybrid%20envrionment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1206400%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20an%20hybrid%20deployment%20with%20on-prem%20mailserver%20with%20local%20AD%20and%20mailboxes%20in%20the%20cloud%2C%20O365%20with%20AzureAD.%20The%20sync%20between%20local%20AD%20and%20Azure%20is%20one-way%20communication%2C%20so%20every%20change%20is%20done%20on-prem.%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20an%20issue%20where%20we%20suspect%20a%20former%20employee%20may%20still%20have%20had%20access%20to%20receive%20information%2C%20still%20after%20his%20account%20has%20been%20deactivated.%20When%20I%20was%20asked%20to%20check%20if%20some%20access%20had%20not%20been%20removed%2C%20I%20noticed%20that%20even%20though%20his%20AD%20account%20is%20disabled%20and%20the%20O365%20login%20is%20set%20to%20not%20allowed.%20He%20still%20had%20an%20Enterprice%20Mobility%20%2B%20Security%20E3%20lisence%20and%20Visio%20Pro%2C%20someone%20must%20have%20forgotten%20to%20remove.%26nbsp%3B%3CBR%20%2F%3EOn%20our%20on-prem%20mail%20server%20the%20remote%20mailbox%20was%20still%20active%2C%20but%20since%20there%20are%20no%20exchange%20lisences%20activated%20in%20O365%20it%20had%20been%20changed%20to%20a%20MailUser%20account.%20Still%20keeping%20all%20of%20it's%20mailbox%20memberOf.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20I%20wonder%20how%20this%20works%20with%20a%20mailuser%20account%2C%20since%20there%20is%20no%20mailbox%20and%20the%20%22external%22%20address%20assigned%20is%20our%20company's%20%22domian.mail.onmicrosoft.com%22%26nbsp%3B%3CBR%20%2F%3EWill%20he%20still%20be%20able%20to%20access%20these%20mailboxes%20that%20he%20is%20a%20member%20of%3F%20Our%20would%20Outlook%20sync%20setup%20on%20private%20computer%20or%20mobile%20device%20still%20sync%20mail%20sent%20to%20him%20for%20a%20periode%20still%3F%3CBR%20%2F%3EOr%20would%20he%20not%20be%20able%20to%20setup%20anything%20only%20as%20a%20mailuser%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1206400%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3E2016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Server%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EHybrid%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOutlook%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1206609%22%20slang%3D%22en-US%22%3ERe%3A%20Disabled%20user%20in%20O365%20hybrid%20envrionment%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1206609%22%20slang%3D%22en-US%22%3EAs%20far%20as%20I%20understand%2C%20the%20user%20has%20been%20disabled%20in%20Azure%20AD.%20That's%20enough%20to%20block%20the%20user%20-%20of%20course%2C%20the%20best%20practice%20is%20to%20break%20his%20sessions%20in%20Azure%3A%3CBR%20%2F%3EGet-AzureADUser%20-SearchString%20user%40domain.com%20%7C%20Revoke-AzureADUserAllRefreshToken%3CBR%20%2F%3EI%20really%20don't%20think%20he%20will%20be%20able%20to%20do%20anything%20if%20the%20account%20is%20disabled%20in%20Azure.%20I%20know%20about%20some%20scenarios%20when%20the%20account%20is%20removed%20from%20AD%20but%20due%20to%20the%20wrong%20configuration%20of%20the%20DirSync%20was%20still%20alive%20and%20enabled%20in%20the%20cloud%20-%20and%20that%20was%20the%20real%20issue.%20But%20in%20your%20case%20-%20the%20user%20has%20no%20access%20to%20the%20cloud%20resources.%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

We have an hybrid deployment with on-prem mailserver with local AD and mailboxes in the cloud, O365 with AzureAD. The sync between local AD and Azure is one-way communication, so every change is done on-prem. 

We have an issue where we suspect a former employee may still have had access to receive information, still after his account has been deactivated. When I was asked to check if some access had not been removed, I noticed that even though his AD account is disabled and the O365 login is set to not allowed. He still had an Enterprice Mobility + Security E3 lisence and Visio Pro, someone must have forgotten to remove. 
On our on-prem mail server the remote mailbox was still active, but since there are no exchange lisences activated in O365 it had been changed to a MailUser account. Still keeping all of it's mailbox memberOf. 

So I wonder how this works with a mailuser account, since there is no mailbox and the "external" address assigned is our company's "domian.mail.onmicrosoft.com" 
Will he still be able to access these mailboxes that he is a member of? Our would Outlook sync setup on private computer or mobile device still sync mail sent to him for a periode still?
Or would he not be able to setup anything only as a mailuser?

1 Reply
Highlighted
As far as I understand, the user has been disabled in Azure AD. That's enough to block the user - of course, the best practice is to break his sessions in Azure:
Get-AzureADUser -SearchString user@domain.com | Revoke-AzureADUserAllRefreshToken
I really don't think he will be able to do anything if the account is disabled in Azure. I know about some scenarios when the account is removed from AD but due to the wrong configuration of the DirSync was still alive and enabled in the cloud - and that was the real issue. But in your case - the user has no access to the cloud resources.