Jun 06 2018
03:11 AM
- last edited on
Feb 01 2023
09:16 AM
by
TechCommunityAP
Jun 06 2018
03:11 AM
- last edited on
Feb 01 2023
09:16 AM
by
TechCommunityAP
Hi,
I want to restrict access for AD to AD Azure synced user without disabling their account.
I have set their logon hours to "Logon Denied" see attached.
After a sync, the user can still access Office 365.
Should this be the case?
If so, how can I restrict leavers from accessing cloud services after they have left the organisation without disabling their account?
PS. If we change their password, they are set up with password reset.
Thank you,
Ollie
Jun 06 2018 03:54 AM
Azure AD / O365 does not 'understand' Logon Hours or (Password) Expired accounts. You need to disable the account, or configure custom sync rules in Azure AD Connect to get the desired effect.
Optionally, you could move the users to an out of sync OU, that way they'd be deleted from O365 but still be active in local AD.
Jun 06 2018 07:43 PM
IMPORTANT: Blocking an account can take up to 24 hours to take effect. If you need to immediately prevent a user's sign-in access, you should reset their password and then initiate a one-time event that will sign them out of Office 365 sessions across all devices. See Sign out now!
To block a user from signing in and accessing Office 365 data:
In the Office 365 admin center, select Users.
Select the employee that you want to block, and then choose Edit next to Sign-in status in the user pane.
On the Sign-in status pane, choose Sign-in blocked and then Save.
Note : You can also block a former employee's access to email (Exchange Online)