On-Premises is authoritative in this scenario, hence the behaviour you are seeing
Sync “sign-in blocked”/“account disabled” status from AAD to On-premise AD
We run a hybrid environment with accounts being generated on-premise and synced to AAD for Office365.
We also have Password writeback working to allow password changes from AAD to replicate locally for consistency.
The issue we have is with sign-in blocked/disabled accounts.
If an account is disabled on-premise, the status is synced to AAD to prevent logins, which is the desired result ... BUT if an account is disabled in AAD, the next sync between on-premise and cloud will re-enable to account in AAD, restoring sign-in access for the account.
This poses an issue as we occasionally need to lock down an account (typically a compromised email account, attempting to spam others).
How can the sign-in allowed/blocked status be synced from AAD to on-premise (or bi-directionally)?
2 answers
Sort by: Most helpful
-
-
Vasil Michev 97,231 Reputation points MVP
2019-12-14T18:29:39.153+00:00 There is no bi-directional sync, you will have to block in on-premises.