How to block authentication of users whose expirydate is in the past

Question

How to block authentication of users whose expirydate is in the past

Divya M 0

Hi Team,

In our environment, users are created in On-Prem AD and synchronized to EntraID.

When the expiry date of AD account is in the past, onPrem AD is blocking the users from authentication. I understand that this is AD functionality.

We would like to block the authentication in EntraID as well if the expirydate(on-Prem attribute) is in the past. Please let me know what the best approach should be to achieve this.

Thanks

Divya M

M, Divya 0 Reputation points

2026-03-26T12:26:28.5633333+00:00

Thank you @Thanmayi Godithi for your reply. Can we add users to the Group using simple configuration instead of scripting?

Also, please let me know how quickly the users will get removed from the group after the Expirydate is updated to a futuredate.

Thanks

Divya M
Thanmayi Godithi 8,545 Reputation points Microsoft External Staff Moderator

2026-03-30T17:40:22.4433333+00:00

Hi @M, Divya ,

Thanks for your questions.There is no simple or native configuration in Microsoft Entra ID to automatically add/remove users to a group based on the on‑premises accountExpires attribute. This attribute is not evaluated by Entra ID for sign‑in decisions and cannot be used in dynamic group rules, so some form of automation is required.

Regarding removal timing: after the expiry date is updated to a future date in on‑prem AD, the change must first sync to Entra ID. The user will be removed from the group when the automation runs again. There is no immediate or real‑time removal.

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please "Upvote" it. If you have extra questions about this answer, please click "Comment".
M, Divya 0 Reputation points

2026-04-10T07:29:53.93+00:00

Hi @Thanmayi Godithi Please confirm if AccountExpires from ONPrem AD should be synchronized to a custom attribute in Azure or do we have any out of the box attribute to store this.Also, Please share any documentation on the automation that can be performed to achieve this.

Thanks

Divya M

1 answer

Your answer

M, Divya 0 Reputation points

2026-03-26T12:26:28.5633333+00:00

Thank you @Thanmayi Godithi for your reply. Can we add users to the Group using simple configuration instead of scripting?

Also, please let me know how quickly the users will get removed from the group after the Expirydate is updated to a futuredate.

Thanks

Divya M
Thanmayi Godithi 8,545 Reputation points Microsoft External Staff Moderator

2026-03-30T17:40:22.4433333+00:00

Hi @M, Divya ,

Thanks for your questions.There is no simple or native configuration in Microsoft Entra ID to automatically add/remove users to a group based on the on‑premises accountExpires attribute. This attribute is not evaluated by Entra ID for sign‑in decisions and cannot be used in dynamic group rules, so some form of automation is required.

Regarding removal timing: after the expiry date is updated to a future date in on‑prem AD, the change must first sync to Entra ID. The user will be removed from the group when the automation runs again. There is no immediate or real‑time removal.

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please "Upvote" it. If you have extra questions about this answer, please click "Comment".
M, Divya 0 Reputation points

2026-04-10T07:29:53.93+00:00

Hi @Thanmayi Godithi Please confirm if AccountExpires from ONPrem AD should be synchronized to a custom attribute in Azure or do we have any out of the box attribute to store this.Also, Please share any documentation on the automation that can be performed to achieve this.

Thanks

Divya M

Answer 1

Hi Divya M ,

This behavior is expected in hybrid environments. Even if the account is expired in on-prem AD, Microsoft Entra ID does not evaluate the accountExpires attribute during authentication, so users can still sign in to cloud applications.

To achieve your requirement without disabling the account, the recommended approach is to convert the expiry condition into an access control decision using attribute sync, automation, and policy enforcement. First, ensure that the accountExpires attribute is synchronized from on-prem AD to Entra ID using Microsoft Entra Connect, typically by mapping it to an extension attribute. Next, implement a scheduled automation (PowerShell or Azure Automation) that compares the expiry date with the current date and identifies users whose accounts have expired. These users should then be added to a dedicated security group (for example, “Expired-Users”), which will be used for access control.

You can implement this using the following steps:

Sync the accountExpires attribute to Entra ID (via Entra Connect → extension attribute).
Create a security group (e.g., “Expired-Users”).
Configure a scheduled script to:
- Read user expiry values
- Compare with current date
- Add expired users to the group (and optionally remove if updated)
Create a policy in Conditional Access:
- Target → Expired-Users group
- Cloud apps → All apps
- Grant → Block access

With this setup, users whose accounts are expired in AD will be automatically identified and blocked from authenticating in Entra ID without disabling their accounts.

Kindly let us know if the above helps or you need further assistance on this issue.

If the answer is helpful, please "Accept the answer" and kindly "Upvote" it. If you have extra questions about this answer, please click "Comment".

Share via

How to block authentication of users whose expirydate is in the past

1 answer

Your answer