Ms Defender for Identity Radius Aad Syncer Disabling on-prem AD User Sync Accounts without writeback enable on Microsoft Entra Connect- Not Sure Why and how?

Zohaib Yousuf 21 Reputation points
2025-03-07T07:01:41.12+00:00

I synced on-prem Active Directory with Azure via Microsft Entra Connect without Writeback enable.

today i observed one account disable via Radius Aad Syncer on prem AD as well. how is it possible, i didn't enable writeback feature jus Sync on-prem AD to Azure. please suggest

Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

1 answer

Sort by: Most helpful
  1. Anonymous
    2025-03-12T11:02:41.0933333+00:00

    Hello Zohaib,

    Microsoft Defender for Identity allows you to respond to compromised users by disabling their accounts or resetting their password.

    To perform remediation actions in Microsoft Defender for Identity please follow steps which mentioned in this document: https://learn.microsoft.com/en-us/defender-for-identity/remediation-actions

    Defender is actually performing as intended by preventing further use from outside entities when the password is compromised. I don't think logs can clearly explain why the accounts were being locked or what specific service was causing the locks.

    If you explore the "Incidents & Alerts" section in Defender, you should be able to find more detailed information regarding the affected users and the specific incidents that triggered the locks.

    The RADIUS AAD Syncer you're mentioning could be integrated into the process, and while writeback isn't enabled, certain security or conditional access events (like a compromised password scenario) could still lead to a disabling event on the on-prem AD. The disabling could occur as part of a security response from Azure AD to prevent further compromise.

    The logs in Microsoft Entra (formerly Azure AD Connect) might give you a clue. Check the Azure AD Connect Sync logs to see if there are any anomalies during the sync process or any triggers related to the accounts.

    While writeback is disabled, certain security features like Azure AD Identity Protection might still cause behavior that looks like it’s making changes to your on-prem AD accounts.

    If you're using Microsoft Defender for Identity, incidents related to the compromised credentials can sometimes lock or disable accounts, even without writeback enabled.
    https://learn.microsoft.com/en-us/entra/identity/authentication/concept-sspr-writeback

    I hope this clarifies things.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.