Sync time for disabled account

NK 1

Hi There,

If I disable any account in on-premises DC, does this syncs immediately like passwords?

If not, how can I make sure it does?

Cheers,
NG

2 answers

Vasil Michev 110.8K Reputation points MVP

2019-12-12T12:10:56.47+00:00
No, it syncs like any other attribute, 30 mins by default. You can force a sync as detailed here: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-scheduler#start-the-scheduler

Start-ADSyncSyncCycle -PolicyType Delta
Please sign in to rate this answer.

1 person found this answer helpful.

0 comments No comments
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.
NK 1 Reputation point

2019-12-12T13:30:17.267+00:00

Hi @Vasil Michev .

But this is a security risk, isn't it? If we disable an account and it's still enabled in AzureAD so the leaver can still access the cloud resources especially when we have synced the password.

Cheers,
Narayan
Please sign in to rate this answer.
Vasil Michev 110.8K Reputation points MVP

2019-12-12T15:41:06.853+00:00

Not really, disabling the user doesn't stop access immediately anyway. The user will continue to have access for the validity of the access/refresh token. To speed things up, kill the refresh tokens, remove license and block email protocols.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Your answer