Azure & Deprovision

We are running in a hybrid mode with Azure and when a user object is deprovisioned in Active Roles it takes 30-45 minutes for that change to sync to Azure. The problem is that terminated user would have access to Office 365 resources during that period of time. How are people handling revoking access tokens in Azure during terminations? I know there is a command that i can run via powershell from ARS server (Revoke-AzureADSignedInUserAllRefreshToken) however our ARS server lives on premise and we require MFA to authenticate to our azure tenant so i dont know how to run the command from ARS server because of the MFA requirement. How are others handling this situation?

Parents
  • Within Active Roles itself, you could set edsaAzureUserAccountEnabled to FALSE - that should prevent the user from logging in.

    Set-QADUser -proxy -Identity $Myuser -AzureUserAccountEnabled $False

    You could also have a rule in a deprovisioning policy apply this.

    The update in the tenant is immediate.

  • we have done that however Azure AD connect runs a sync every 30 minutes so there is still a delay for ~30 minutes for that setting to take effect.

    Seems like we need to revoke the token in azure directly somehow for it to be immediate.

  • ???

    Is your Active Roles instance actually setup to communicate with your M365 tenant directly or a you relying solely on Azure AD Connect to replicate changes?

    My current customer is Hybrid and we have both.

    A change made as I describe above should take effect immediately - i.e. you will see on the user in the tenant Portal that sign-in is blocked.

Reply
  • ???

    Is your Active Roles instance actually setup to communicate with your M365 tenant directly or a you relying solely on Azure AD Connect to replicate changes?

    My current customer is Hybrid and we have both.

    A change made as I describe above should take effect immediately - i.e. you will see on the user in the tenant Portal that sign-in is blocked.

Children
No Data