Active Directory AccountExpires attribute does not stop login to Office 365
We discovered a security flaw in Office 365 whereby if you set an account in Active Directory to expired, the user can still login to Office 365.
We believe this is a major security flaw as many customers will believe if the user can no longer log in to the Active Directory domain then they must also not be able to login to Office 365, however this is not the case.
Setting an account with an expiry date should stop the account from logging into Office 365 as well.
mikie swier commented
Major security issue. Please fix asap.
Anthony L. commented
For such a major security flaw it is unacceptable to have a workaround solution. This needs to be resolved at a platform level ASAP.
Dylan Skeels commented
HUGE security flaw, we use this in our district for various things and to find out it doesn't actually lock users out of 365 is just horrible. Please fix ASAP!
Graham C. commented
This is achieved through federation.
Like the broken HideFromAddressLists attribute sync, this is a fundamental security item that should have been fixed in the builtin Sync Rules for AD Connect. Too many Disprovisioning processes and workflows are built around whether an account is Disabled that should not apply to an Expired Account that may or may not been an innocent lapse in the accounts renewal/extension approval, but the Account should immediately cease to function across all platforms until the Expiration is extended or the account truly Disabled. Please make this fix a priority.
Anon I Mouse commented
Its August 2020 and this is a major security flaw, plain and simple. And to have it on going since dirsync was first created to syncronize on-prem AD to Azure AD is staggering. MS will say this is mitigated through other security meaures and conditional access rules. That may be true for customers that are able to afford those types of licenses. This is a foundational issue that should not be acceptable at all. Get on the ball, Microsoft - fix this permanently.
Hello, today is July 30, 2020, and this compliance issue still exists. This issue has been open for 1301 DAYS! This can't be that hard to address. It's just another property field that the sync tools need to compare and update. For those of us in regulated industries, this could lead to millions of dollars worth of fines.
This needs to be addressed so that it does not require tinkering with scripts to solve.
Evan Nichols commented
I solved this problem with a Sync Rule expression referencing an extensionAttribute we are populating with MIM.
We're using extensionAttribute5 to mark "Enabled" or "Disabled" based on whether they are disabled or expired.
Federico Rossi commented
Hi, I've solved this with Azure AD Pass Through Authentication, the client will be authenticated directly against your on premises infrastructure: https://samcogan.com/azure-ad-connect-and-the-trouble-with-expired-passwords/
Jason Richardson commented
This is an unbelievable security flaw. I would say I was shocked when I saw it, but...
Steven Fletchall commented
I keep hearing people say it's a feature or intentional. Sounds like a flaw to me.
Nagappan Veerappan commented
If your organization uses the accountExpires attribute as part of user account management, this attribute is not synchronized to Azure AD. As a result, an expired Active Directory account in an environment configured for password hash synchronization will still be active in Azure AD. We recommend that if the account is expired, a workflow action should trigger a PowerShell script that disables the user's Azure AD account (use the Set-AzureADUser cmdlet). Conversely, when the account is turned on, the Azure AD instance should be turned on.
Mark Joseph commented
Office 365 Group, Do we have any other alternative on this concern? aside for manually running a script to disable account from local AD? or setup a auto schedule script to disable account?
I confirmed this a while back and opened a ticket with Microsoft, who said it was not a flaw or a bug but rather a feature request. Kenneth's recommendation of resetting the user's AD password upon account expiration using a script is a great idea.
We need this checck to ensure the correct alignment from Office365 and our applications.
The users have no evidence why they cannot log in the Company's tools because it seems that office365 trusts their account.
Kenneth West commented
Fellow Office 365 admin here with a similar concern as the OP and others below.
Is everyone here referring to literally expiring an AD account (accountExpires attribute) or truly disabling an AD account (userAccountControl attribute)? Those are fundamentally different operations with different outcomes.
Expiring an AD account does NOT prevent the user from signing in to Office 365. IMHO, expiring applies to AD only and not Azure AD, so Office 365 access continues. Only if you were to have AAD:PTA (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta) or ADFS (https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services) would expiring potentially (I don't have either of these setups) have the outcome you are describing.
Disabling an AD account does prevent the user from signing in to Office 365.
If expiring is what you wish to continue doing, you could try a workaround of also resetting the user's AD password upon account expiration. Since password resets are synced to Office 365, that should give you the best of both worlds by blocking future Office 356 sign ins until an AD admin can fully disable the account (which would block Office 365 access).
As for the poster asking for a way to kill existing Office 365 sessions, try these suggestions:
has this been fixed or looked into we are still having this issue
Same problem.Big security flaw. Expired user kept using Outlook for a months without any issues.
B Davis commented
Agreed, we've had problems with this too. I would also suggest that Office 365 makes it so that AAD Sync doesn't un-block Office 365 accounts that have been set to blocked status in the cloud. There are times we have to block access right away and an AD admin isn't available. So I have to block in the cloud and then turn off the AAD Sync until an AD admin can disable the AD account.