How do I get Actions such as disabling an account to sync back to on-prem AD from Azure AD

David Turner 26 Reputation points

I have a newly created tenant which as was synd using express settings for ADDConnect. If we disable an account in Azure AD it doesn't get synced back to on-prem?

Do we need to change something in ADDConnect to achieve this for actions like this taken in Azure AD?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,108 questions
0 comments No comments
{count} votes

3 additional answers

Sort by: Most helpful
  1. Guus van Berge 6 Reputation points

    If you have E5, and you want to achieve this due to a security risk, you can make use of Defender for Identity to disable on-prem accounts.

    1 person found this answer helpful.
    0 comments No comments

  2. Andy David - MVP 143.6K Reputation points MVP

    AADConnect is a one-way sync with some attributes written back to on-prem.

    The account must be disabled on-prem and that is synced to Azure, not the other way around. If you disable only in Azure, it will be re-enabled after the next sync if the on-prem account is still enabled.

    0 comments No comments

  3. David Turner 26 Reputation points

    Thank Andy, so do I need Federation in place then or pass-thru to achieve 2 way?

    0 comments No comments