How do I get Actions such as disabling an account to sync back to on-prem AD from Azure AD

David Turner 26 Reputation points
2022-11-02T14:42:05.443+00:00

I have a newly created tenant which as was synd using express settings for ADDConnect. If we disable an account in Azure AD it doesn't get synced back to on-prem?

Do we need to change something in ADDConnect to achieve this for actions like this taken in Azure AD?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,631 questions
0 comments No comments
{count} votes

3 additional answers

Sort by: Most helpful
  1. Andy David - MVP 145.6K Reputation points MVP
    2022-11-02T17:09:24.253+00:00

    AADConnect is a one-way sync with some attributes written back to on-prem.

    The account must be disabled on-prem and that is synced to Azure, not the other way around. If you disable only in Azure, it will be re-enabled after the next sync if the on-prem account is still enabled.

    1 person found this answer helpful.
    0 comments No comments

  2. Guus van Berge 6 Reputation points
    2022-11-21T14:25:38.757+00:00

    If you have E5, and you want to achieve this due to a security risk, you can make use of Defender for Identity to disable on-prem accounts.

    1 person found this answer helpful.
    0 comments No comments

  3. David Turner 26 Reputation points
    2022-11-02T18:04:23.937+00:00

    Thank Andy, so do I need Federation in place then or pass-thru to achieve 2 way?

    0 comments No comments