Office 365 / Azure AD: Block sign in for accounts with password hash sync

Expired Active Directory users are still able to sign into Microsoft Office 365 / Azure Active Directory when using password Synchronization

If you have made the move from ADFS / PTA to using Azure AD Password Synchronization with SSO you will soon realize that former / terminated employees are still able to sign into Microsoft Office 365 / Azure Active Directory apps. This is due to the fact that Microsoft currently doesn’t have a mechanism for handling expired accounts in the Azure Active Directory.

Microsoft recommends using a PowerShell script that sets accounts as disabled once the user accounts expires in Active Directory. The reason is that Azure Active Directory Connects synchronizes the disabled state of user accounts from Active Directory with Azure Active Directory and prevents users from sign in (Block Sign In).

PowerShell Script

I wrote a PowerShell script that is available from the Microsoft Scripting Center and the Azure Automation runbook gallery. I recommend that you use Azure Automation for running this as a scheduled task daily.

Download the script from Microsoft Scripting Center or using the Azure runbook gallery.

Azure Automation Runbook

  • Configure a OMS / Azure Automation Hybrid Worker on your domain controller or another server with an appropriate “run as account”
  • Import the runbook “Disable expired accounts in Active Directory.” from the Azure runbook gallery. See here how:

Technical part

Azure Active Directory Connect will import disabled user accounts by checking that the useraccountcontrol attribute” is set to 0x0002. The imported attribute will be mapped in the MetaVerse database to the “AccountEnabled” attribute in Azure Active Directory, which will be set to “false” to prevent / block sign in to Microsoft Office 365 or Azure Active Directory applications.

AAD Connect rule synchronization flow:

AD UserObjects (UserAccountControl) -> Azure AD Connect (MetaVerse DB) -> Azure AD Object (Account Enabled)

Azure AD Connect sync rules:

Azure Active Directory User attribute “AccountEnabled”:

The “AccountEnabled” attribute can be set both in the Microsoft Office 365 and the Azure Portal as the “Block Sign In” option. This is ONLY recommended for cloud-only users as the attribute will be overwritten during Azure AD Connect synchronization. Make sure you disable the users in the on-prem Active Directory.


AccountExpired, UserAccountControl




4 thoughts on “Office 365 / Azure AD: Block sign in for accounts with password hash sync”

Leave a Reply to 2 Cool new password policy features in Azure AD Connect - MSEndpointMgr Cancel reply

All fields are required. Your email address will not be published.