How do I get Actions such as disabling an account to sync back to on-prem AD from Azure AD

David Turner 26 Reputation points

I have a newly created tenant which as was synd using express settings for ADDConnect. If we disable an account in Azure AD it doesn't get synced back to on-prem?

Do we need to change something in ADDConnect to achieve this for actions like this taken in Azure AD?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,870 questions
0 comments No comments
{count} votes

3 additional answers

Sort by: Most helpful
  1. Andy David - MVP 121.3K Reputation points MVP

    AADConnect is a one-way sync with some attributes written back to on-prem.

    The account must be disabled on-prem and that is synced to Azure, not the other way around. If you disable only in Azure, it will be re-enabled after the next sync if the on-prem account is still enabled.

    0 comments No comments

  2. David Turner 26 Reputation points

    Thank Andy, so do I need Federation in place then or pass-thru to achieve 2 way?

    0 comments No comments

  3. Guus van Berge 1 Reputation point

    If you have E5, and you want to achieve this due to a security risk, you can make use of Defender for Identity to disable on-prem accounts.

    0 comments No comments