cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

disabled on premise AD Account - Consequences for M365 Mailbox\OneDrive data

Rudi77
Copper Contributor

‎May 13 2020 09:25 AM - last edited on ‎Feb 01 2023 02:08 PM by

‎May 13 2020 09:25 AM - last edited on ‎Feb 01 2023 02:08 PM by

disabled on premise AD Account - Consequences for M365 Mailbox\OneDrive data

Hi All

We're about to go through the migration process for on premise mailboxes and home drives to M365 Exchange online and OneDrive.
We have on premise AD which will remain in place which is synchronising to Azure AD.


The Sys Admins have an existing User account tidy up\deletion process of checking last log on date, disabling the AD account and moving it to a disabled user OU - Fairly standard for most on-prem businesses.

However if we have migrated a User's mailbox and OneDrive to M365, disabled the on-prem AD account and then moved it to an OU that isnt synchronised with Azure AD, what happens to that Users M365 data? 

 

I'm thinking of ways to mitigate against loss of data and ensuring if we want to delete mailboxes\OneDrive that is done in a controlled manner.

 

Maybe we should at least sync the disabled users OU with Azure and then go through the offboarding process within M365 to archive mailboxes\OneDrive?

 

Thanks

34.2K Views
0 Likes
4 Replies
Reply
4 Replies
best response confirmed by Rudi77 (Copper Contributor)
PeterRising

‎May 13 2020 11:08 AM - edited ‎May 13 2020 11:11 AM

‎May 13 2020 11:08 AM - edited ‎May 13 2020 11:11 AM

Solution

Re: disabled on premise AD Account - Consequences for M365 Mailbox\OneDrive data

@Rudi77 

 

OK, if you disable an AD user which is synced to O365, the O365 user will then be blocked from signing in too.

 

If you sync an AD account to O365, then move the AD account to an OU which is not synced, the O365 account will be deleted on the next scheduled sync pass.  The result of this is that the O365 account will be moved from the Active Users folder to the Deleted Users folder.  It will remain recoverable for 30 days, then it will be permanently purged and not recoverable.

 

So no, neither of these are options for you i'm afraid.

 

If you sync the disabled users OU, then the O365 user will not be deleted at the next sync,  but would of course still be blocked from signing in.

1 Like
Reply
Smith_J

‎May 15 2020 03:16 AM

‎May 15 2020 03:16 AM

Re: disabled on premise AD Account - Consequences for M365 Mailbox\OneDrive data

To remove an employee:

In the admin center, go to the Users > Active users page.

Select the box next to the user's name, and then select Reset password

Enter a new password, and then select Reset. (Don't send it to them.)

Select the user's name to go to their properties pane, and on the OneDrive tab, select Initiate sign-out.

1 Like
Reply
SystemEngineer

‎May 22 2022 09:03 PM

‎May 22 2022 09:03 PM

Re: disabled on premise AD Account - Consequences for M365 Mailbox\OneDrive data

@PeterRising,

Will the license be returned back to the pool when the user is in the soft-deleted / inactive state?

0 Likes
Reply
Raymond_666

‎May 23 2022 11:15 AM

‎May 23 2022 11:15 AM

Re: disabled on premise AD Account - Consequences for M365 Mailbox\OneDrive data

I think not.
However, if you license users through a dynamic group, you can add "AccountEnabled" as a requirement.
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Rudi77 (Copper Contributor)
PeterRising

‎May 13 2020 11:08 AM - edited ‎May 13 2020 11:11 AM

‎May 13 2020 11:08 AM - edited ‎May 13 2020 11:11 AM

Solution

Re: disabled on premise AD Account - Consequences for M365 Mailbox\OneDrive data

@Rudi77 

 

OK, if you disable an AD user which is synced to O365, the O365 user will then be blocked from signing in too.

 

If you sync an AD account to O365, then move the AD account to an OU which is not synced, the O365 account will be deleted on the next scheduled sync pass.  The result of this is that the O365 account will be moved from the Active Users folder to the Deleted Users folder.  It will remain recoverable for 30 days, then it will be permanently purged and not recoverable.

 

So no, neither of these are options for you i'm afraid.

 

If you sync the disabled users OU, then the O365 user will not be deleted at the next sync,  but would of course still be blocked from signing in.

View solution in original post

1 Like
Reply