Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

Active Directory AccountExpires attribute does not stop login to Office 365

We discovered a security flaw in Office 365 whereby if you set an account in Active Directory to expired, the user can still login to Office 365.

We believe this is a major security flaw as many customers will believe if the user can no longer log in to the Active Directory domain then they must also not be able to login to Office 365, however this is not the case.

Setting an account with an expiry date should stop the account from logging into Office 365 as well.

358 votes
Sign in
Sign in with: facebook google
Signed in as (Sign out)
You have left! (?) (thinking…)
Darren Hurst shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


Sign in
Sign in with: facebook google
Signed in as (Sign out)
  • Evan Nichols commented  ·   ·  Flag as inappropriate

    I solved this problem with a Sync Rule expression referencing an extensionAttribute we are populating with MIM.
    We're using extensionAttribute5 to mark "Enabled" or "Disabled" based on whether they are disabled or expired.


  • Nagappan Veerappan commented  ·   ·  Flag as inappropriate
    Account expiration

    If your organization uses the accountExpires attribute as part of user account management, this attribute is not synchronized to Azure AD. As a result, an expired Active Directory account in an environment configured for password hash synchronization will still be active in Azure AD. We recommend that if the account is expired, a workflow action should trigger a PowerShell script that disables the user's Azure AD account (use the Set-AzureADUser cmdlet). Conversely, when the account is turned on, the Azure AD instance should be turned on.


  • Mark Joseph commented  ·   ·  Flag as inappropriate

    Office 365 Group, Do we have any other alternative on this concern? aside for manually running a script to disable account from local AD? or setup a auto schedule script to disable account?

  • Phillip commented  ·   ·  Flag as inappropriate

    I confirmed this a while back and opened a ticket with Microsoft, who said it was not a flaw or a bug but rather a feature request. Kenneth's recommendation of resetting the user's AD password upon account expiration using a script is a great idea.

  • commented  ·   ·  Flag as inappropriate

    We need this checck to ensure the correct alignment from Office365 and our applications.
    The users have no evidence why they cannot log in the Company's tools because it seems that office365 trusts their account.

  • Kenneth West commented  ·   ·  Flag as inappropriate

    Fellow Office 365 admin here with a similar concern as the OP and others below.

    Is everyone here referring to literally expiring an AD account (accountExpires attribute) or truly disabling an AD account (userAccountControl attribute)? Those are fundamentally different operations with different outcomes.

    Expiring an AD account does NOT prevent the user from signing in to Office 365. IMHO, expiring applies to AD only and not Azure AD, so Office 365 access continues. Only if you were to have AAD:PTA ( or ADFS ( would expiring potentially (I don't have either of these setups) have the outcome you are describing.

    Disabling an AD account does prevent the user from signing in to Office 365.

    If expiring is what you wish to continue doing, you could try a workaround of also resetting the user's AD password upon account expiration. Since password resets are synced to Office 365, that should give you the best of both worlds by blocking future Office 356 sign ins until an AD admin can fully disable the account (which would block Office 365 access).

    As for the poster asking for a way to kill existing Office 365 sessions, try these suggestions:

  • Egert commented  ·   ·  Flag as inappropriate

    Same problem.Big security flaw. Expired user kept using Outlook for a months without any issues.

  • B Davis commented  ·   ·  Flag as inappropriate

    Agreed, we've had problems with this too. I would also suggest that Office 365 makes it so that AAD Sync doesn't un-block Office 365 accounts that have been set to blocked status in the cloud. There are times we have to block access right away and an AD admin isn't available. So I have to block in the cloud and then turn off the AAD Sync until an AD admin can disable the AD account.

  • Anonymous commented  ·   ·  Flag as inappropriate

    This needs to be fixed urgently.
    Please provide by any means, a way to search & kill all active sessions/token, the exipred user might still have on your end. It could be a view in Azure AD, an result from a PS command ...

  • Anonymous commented  ·   ·  Flag as inappropriate

    just found this and cant believe it, it is fundamental to the way most organisations work with accounts

  • Jeffrey Ing commented  ·   ·  Flag as inappropriate

    We just discovered this today, it's very disturbing since we have a lot of interns accounts set to expire and found that they were still logging in after the fact.

  • Chris Boughton commented  ·   ·  Flag as inappropriate

    We just found this out with an email from HR looking like we did not disable their account. I found that the on-prem account was disabled from powershell script get-aduser *username* -properties accountexpirationdate, but then it dawned on me it must not pass to O365 credentials through Azure Active Directory Sync. Guess we will have to ensure to manually disable and login to admin portal to block logins.

  • Dawn Winter commented  ·   ·  Flag as inappropriate

    I agree completely that this is a major security flaw. On premise AD account expiration allows for immediate, timely deactivation which better secures our environment. I was shocked to find out the Office 365 was not honoring that in regards to account access - that could have been devastating had it gone on undetected.

  • Fred commented  ·   ·  Flag as inappropriate

    I also agree this is a major flaw of O365 and needs to be added/checked by O365. We sync O365 via AD Connect, but are primarily managing user accounts via on prem AD.

Feedback and Knowledge Base