Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

How to stop disabled user accounts from syncing with Azure AD Connect

Brass Contributor

Hello again,

 

I was experimenting these days using Azure AD Connect, the tool that let's you synchronize your on-premises AD accounts to Azure AD. So I thought: what happens when you have some disabled user accounts in your on-premises AD environment? Do you really need them to synchronize?

 

Probably not.

 

So we'll see what you have to do in case you don't want to bring up to Azure AD your disabled user accounts.

 

Please read the rest of the article here.

8 Replies

That one is easy though, I'd love to see more tricky examples published on docs.com or your blog. For example locked out accounts, or expired ones, or similar :)

Regarding the expired or locked out accounts, it's already there, if you go through the article:

"Select useraccountcontrol for the Attribute and then select the ISBITSET operator with a value of 2 (If you want to know what is really this value, take a look here: https://support.microsoft.com/en-us/kb/305144)".

 

 

Thanks for posting this. I just installed the latest version of Azure AD Connect on Windows Server 2016 and it worked instantly. We have automated automatically disabling our accounts after a certain period of time so now only active accounts appear in Azure AD making things easier to manage.

@Chris Spanougakis I have done as per your write up but I still see the disabled account online. 

This method just putting the user under 'deleted users' in O365. this can be achieved by directly putting the user account in non-sync OU.

Is there any way we can hide user from GAL without putting them under deleted users? and especially for users with no exchange attributes.

@Chris Spanougakis just know that when you do this you will stop syncing all your shared, room, and equipment user accounts/mailboxes.  You need to sync some disabled user accounts so your query should account for those in some way.  This is why people usually just exclude an OU where you move your users to exclude them from sync.  A better solution, if your admin team can handle it, is to use attribute filtering so you don't need to move people between OUs to exclude them from syncing to Azure AD.

@Brian Kronberg  that’s correct! I am looking for some custom AAD rule which hide the non-exchange users from GAL instead of putting them in ‘Deleted Users’. Any suggestions? 

Hi John could you please explain the steps you took for automation or any link which you followed thanks