Disabled user in O365 hybrid envrionment

Copper Contributor

We have an hybrid deployment with on-prem mailserver with local AD and mailboxes in the cloud, O365 with AzureAD. The sync between local AD and Azure is one-way communication, so every change is done on-prem. 

We have an issue where we suspect a former employee may still have had access to receive information, still after his account has been deactivated. When I was asked to check if some access had not been removed, I noticed that even though his AD account is disabled and the O365 login is set to not allowed. He still had an Enterprice Mobility + Security E3 lisence and Visio Pro, someone must have forgotten to remove. 
On our on-prem mail server the remote mailbox was still active, but since there are no exchange lisences activated in O365 it had been changed to a MailUser account. Still keeping all of it's mailbox memberOf. 

So I wonder how this works with a mailuser account, since there is no mailbox and the "external" address assigned is our company's "domian.mail.onmicrosoft.com" 
Will he still be able to access these mailboxes that he is a member of? Our would Outlook sync setup on private computer or mobile device still sync mail sent to him for a periode still?
Or would he not be able to setup anything only as a mailuser?

1 Reply
As far as I understand, the user has been disabled in Azure AD. That's enough to block the user - of course, the best practice is to break his sessions in Azure:
Get-AzureADUser -SearchString user@domain.com | Revoke-AzureADUserAllRefreshToken
I really don't think he will be able to do anything if the account is disabled in Azure. I know about some scenarios when the account is removed from AD but due to the wrong configuration of the DirSync was still alive and enabled in the cloud - and that was the real issue. But in your case - the user has no access to the cloud resources.