SOLVED

disabled on premise AD Account - Consequences for M365 Mailbox\OneDrive data

%3CLINGO-SUB%20id%3D%22lingo-sub-1387078%22%20slang%3D%22en-US%22%3Edisabled%20on%20premise%20AD%20Account%20-%20Consequences%20for%20M365%20Mailbox%5COneDrive%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1387078%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%3C%2FP%3E%3CP%3EWe're%20about%20to%20go%20through%20the%20migration%20process%20for%20on%20premise%20mailboxes%20and%20home%20drives%20to%20M365%20Exchange%20online%20and%20OneDrive.%3CBR%20%2F%3EWe%20have%20on%20premise%20AD%20which%20will%20remain%20in%20place%20which%20is%20synchronising%20to%20Azure%20AD.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThe%20Sys%20Admins%20have%20an%20existing%20User%20account%20tidy%20up%5Cdeletion%20process%20of%20checking%20last%20log%20on%20date%2C%20disabling%20the%20AD%20account%20and%20moving%20it%20to%20a%20disabled%20user%20OU%20-%20Fairly%20standard%20for%20most%20on-prem%20businesses.%3C%2FP%3E%3CP%3EHowever%20if%20we%20have%20migrated%20a%20User's%20mailbox%20and%20OneDrive%20to%20M365%2C%20disabled%20the%20on-prem%20AD%20account%20and%20then%20moved%20it%20to%20an%20OU%20that%20isnt%20synchronised%20with%20Azure%20AD%2C%20what%20happens%20to%20that%20Users%20M365%20data%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20thinking%20of%20ways%20to%20mitigate%20against%20loss%20of%20data%20and%20ensuring%20if%20we%20want%20to%20delete%20mailboxes%5COneDrive%20that%20is%20done%20in%20a%20controlled%20manner.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMaybe%20we%20should%20at%20least%20sync%20the%20disabled%20users%20OU%20with%20Azure%20and%20then%20go%20through%20the%20offboarding%20process%20within%20M365%20to%20archive%20mailboxes%5COneDrive%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1387078%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EData%20Loss%20Prevention%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EExchange%20Online%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn-Premises%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOneDrive%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esynchronization%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1387300%22%20slang%3D%22en-US%22%3ERe%3A%20disabled%20on%20premise%20AD%20Account%20-%20Consequences%20for%20M365%20Mailbox%5COneDrive%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1387300%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F666589%22%20target%3D%22_blank%22%3E%40Rudi77%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOK%2C%20if%20you%20disable%20an%20AD%20user%20which%20is%20synced%20to%20O365%2C%20the%20O365%20user%20will%20then%20be%20blocked%20from%20signing%20in%20too.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20sync%20an%20AD%20account%20to%20O365%2C%20then%20move%20the%20AD%20account%20to%20an%20OU%20which%20is%20not%20synced%2C%20the%20O365%20account%20will%20be%20deleted%20on%20the%20next%20scheduled%20sync%20pass.%20%26nbsp%3BThe%20result%20of%20this%20is%20that%20the%20O365%20account%20will%20be%20moved%20from%20the%20Active%20Users%20folder%20to%20the%20Deleted%20Users%20folder.%20%26nbsp%3BIt%20will%20remain%20recoverable%20for%2030%20days%2C%20then%20it%20will%20be%20permanently%20purged%20and%20not%20recoverable.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESo%20no%2C%20neither%20of%20these%20are%20options%20for%20you%20i'm%20afraid.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20you%20sync%20the%20disabled%20users%20OU%2C%20then%20the%20O365%20user%20will%20not%20be%20deleted%20at%20the%20next%20sync%2C%20%26nbsp%3Bbut%20would%20of%20course%20still%20be%20blocked%20from%20signing%20in.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1392421%22%20slang%3D%22en-US%22%3ERe%3A%20disabled%20on%20premise%20AD%20Account%20-%20Consequences%20for%20M365%20Mailbox%5COneDrive%20data%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1392421%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3ETo%20remove%20an%20employee%3A%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EIn%20the%20admin%20center%2C%20go%20to%20the%20Users%20%26gt%3B%20Active%20users%20page.%3C%2FP%3E%3CP%3ESelect%20the%20box%20next%20to%20the%20user's%20name%2C%20and%20then%20select%20Reset%20password%3C%2FP%3E%3CP%3EEnter%20a%20new%20password%2C%20and%20then%20select%20Reset.%20(Don't%20send%20it%20to%20them.)%3C%2FP%3E%3CP%3ESelect%20the%20user's%20name%20to%20go%20to%20their%20properties%20pane%2C%20and%20on%20the%20OneDrive%20tab%2C%20select%20Initiate%20sign-out.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Visitor

Hi All

We're about to go through the migration process for on premise mailboxes and home drives to M365 Exchange online and OneDrive.
We have on premise AD which will remain in place which is synchronising to Azure AD.


The Sys Admins have an existing User account tidy up\deletion process of checking last log on date, disabling the AD account and moving it to a disabled user OU - Fairly standard for most on-prem businesses.

However if we have migrated a User's mailbox and OneDrive to M365, disabled the on-prem AD account and then moved it to an OU that isnt synchronised with Azure AD, what happens to that Users M365 data? 

 

I'm thinking of ways to mitigate against loss of data and ensuring if we want to delete mailboxes\OneDrive that is done in a controlled manner.

 

Maybe we should at least sync the disabled users OU with Azure and then go through the offboarding process within M365 to archive mailboxes\OneDrive?

 

Thanks

2 Replies
Highlighted
Best Response confirmed by Rudi77 (Frequent Visitor)
Solution

@Rudi77 

 

OK, if you disable an AD user which is synced to O365, the O365 user will then be blocked from signing in too.

 

If you sync an AD account to O365, then move the AD account to an OU which is not synced, the O365 account will be deleted on the next scheduled sync pass.  The result of this is that the O365 account will be moved from the Active Users folder to the Deleted Users folder.  It will remain recoverable for 30 days, then it will be permanently purged and not recoverable.

 

So no, neither of these are options for you i'm afraid.

 

If you sync the disabled users OU, then the O365 user will not be deleted at the next sync,  but would of course still be blocked from signing in.

Highlighted

To remove an employee:

In the admin center, go to the Users > Active users page.

Select the box next to the user's name, and then select Reset password

Enter a new password, and then select Reset. (Don't send it to them.)

Select the user's name to go to their properties pane, and on the OneDrive tab, select Initiate sign-out.