In the Microsoft 365 Admin Portal (Azure) I can block an active user from signing in using the "? Block this user" option, pictured:
However when our on-prem Active Directory server syncs our userbase up to 365, this option is overridden and that user is allowed to sign-in again.
What attribute do I need to set in our on-prem Active Directory server on the user object to match the the "Block this user" option seen in Microsoft 365? I think when I find out this setting, then the value will sync up to 365 and be persisted there.
What I've tried:
- marking the on-prem AD user account as Disabled (doesn't have an effect in 365 after sync);
- Moving the user account to a special/custom "Disabled Users" folder in our AD folder but it causes 365 to instead move the user into the Deleted Users area of 365 instead of simply prohibiting that Active User from signing in.
Disabling the on premises user account will block the Office 365 sign in. If it isn't then you haven't waited for the next sync cycle, or you've misconfigured Azure AD Connect somehow. Disable the on premises user account again and run the following from an elevated Powershell prompt on your Azure AD Connect server:
Start-ADSyncSyncCycle -PolicyType Delta
. Then check the sign-in status in Office 365. If the sign-in still isn't blocked then open a support case with Microsoft from the Office 365 management portal. It's free and MS will troubleshoot the issue with you.Barring that, you can "unlink" the on premises user account from the Office 365 user account by setting the adminDescription attribute on the on premises user account to
User_NoAzureADSync
.This will effectively "unlink" the two accounts and will delete the Office 365 user account. Note that any data in Office 365 for the deleted user account will also be deleted, but you'll have 30 days to access it and 30 days to "relink" the accounts if you so choose.