This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 66%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDT%3C/text%3E%3C/svg%3E)
I have a newly created tenant which as was synd using express settings for ADDConnect. If we disable an account in Azure AD it doesn't get synced back to on-prem?
Do we need to change something in ADDConnect to achieve this for actions like this taken in Azure AD?
No, there is no two way sync for an account enabled or disabled status like that.
If you want to writeback and sync passwords and password changes, you can do that:
AADConnect is a one-way sync with some attributes written back to on-prem.
The account must be disabled on-prem and that is synced to Azure, not the other way around. If you disable only in Azure, it will be re-enabled after the next sync if the on-prem account is still enabled.
If you have E5, and you want to achieve this due to a security risk, you can make use of Defender for Identity to disable on-prem accounts.
Thank Andy, so do I need Federation in place then or pass-thru to achieve 2 way?