This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi all,
I work for an MSSP and we have clients whereby we cannot access their on-premises infrastructure.
When we lock accounts out via Azure Active Directory, the Azure AD-Connect sync enables them after it syncs from the on-premises Active Directory. As I mentioned we have no access to their on-prem to block the accounts in AD and going through their internal IT team would be a nightmare.
I am just wondering what would the best solution to this problem be? I've read up on filtering but I think I am correct in thinkning that doesn't filter what attributes to sync but what accounts to sync.
Here are the current settings for AD Connect:
Any help greatly appreciated. Thank you in advance!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 69%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECS%3C/text%3E%3C/svg%3E)
Hi @Liam Jones ,
You can set up a group for this kind of accounts that create a Conditional Access policy that block access to all cloud apps for that group:
And then you can add the needed account(s) to that group.
Hope this helps!
I like this, it's a really good and simple to use workaround!
I'm going to just hold back on accepting it because ideally I really need it to be based off of the account status attribute. We have MCAS which allows us to automatically set accounts to disabled for certain alerts and due to volume ideally the solution should be auomated. But I do really like this and I'll be using this until I can find a solution using the account status.
Thank you, Cristian.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
There is no bi-directional sync, you will have to block in on-premises. This is by design.
For example if an account is disabled on-premise, the status will be synced to AAD to prevent logins, but if an account is disabled in AAD, the next sync between on-premise and cloud will re-enable to account in AAD, restoring sign-in access for the account.
-------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer--