This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 94%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)
Hi there,
I have a client who is using AAD Connect sync 2.1.20 to sync accounts from on-prem AD to Azure AD.
I have recently discovered that some of the disabled accounts in on-prem AD don't have their synced entities disabled in Azure AD, in other words these accounts are still enabled in Azure AD.
I ran the Azure AD Connect Single Object Sync PowerShell script to diagnose the problem. The report generated shows that AAD Connect finds the AD account has the UserAccountControl value of 0x202, which means "Normal account" (0x200) + "Disabled" (0x002). However, with the default transformation rule the imported object to the AAD Connector space have "accountEnabled" attribute ended up as "True", which subsequently resulted in the account in AAD not disabled.
The default transformation rule is:
IIF(BitAnd([userAccountControl],2)=0,True,False)
With the "userAccountControl" value being 0x202, this rule should result in "False", yet the resulted "userEnabled" value was "True".
Can someone let me know what happened here?
Regards.
Johnmen
Where are you seeing this?
My rule looks like this:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 2%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Have also been stuck on this for quite some time...... found a solution. I deleted the original rule (precedence 106) and moved my cloned rule to precedence 106 and run a delta sync. Now my disabled users are showing in AAD as expected.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 86%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
thank you very much. Your solution has solved my problem.
Hi Andy,
We cloned the default "In from AD - User Common" rule in order to add an attribute to determine if a user should be hidden from Exchange GAL. The transformations screenshot was taken from the cloned rule.
Here is the default rule we cloned from, it has been disabled:
Here is the rule we created from the clone:
Regards.
Johnmen
Hi there,
Is there already a solution for this? We habe the exactly same problem.
Regards,
Samuel