Sync “sign-in blocked”/“account disabled” status from AAD to On-premise AD

Ian Fuchs 16 Reputation points

We run a hybrid environment with accounts being generated on-premise and synced to AAD for Office365.

We also have Password writeback working to allow password changes from AAD to replicate locally for consistency.

The issue we have is with sign-in blocked/disabled accounts.

If an account is disabled on-premise, the status is synced to AAD to prevent logins, which is the desired result ... BUT if an account is disabled in AAD, the next sync between on-premise and cloud will re-enable to account in AAD, restoring sign-in access for the account.

This poses an issue as we occasionally need to lock down an account (typically a compromised email account, attempting to spam others).

How can the sign-in allowed/blocked status be synced from AAD to on-premise (or bi-directionally)?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,070 questions
{count} vote

2 answers

Sort by: Most helpful
  1. Dan Davey 16 Reputation points Microsoft Employee

    On-Premises is authoritative in this scenario, hence the behaviour you are seeing

    2 people found this answer helpful.
    0 comments No comments

  2. Vasil Michev 98,111 Reputation points MVP

    There is no bi-directional sync, you will have to block in on-premises.

    1 person found this answer helpful.