519 votes20 comments · Office 365 Security & Compliance » Advanced Security Management · Flag idea as inappropriate… · Admin →
An error occurred while saving the commentKenneth West commented
Fellow Office 365 admin here with a similar concern as the OP and others below.
Is everyone here referring to literally expiring an AD account (accountExpires attribute) or truly disabling an AD account (userAccountControl attribute)? Those are fundamentally different operations with different outcomes.
Expiring an AD account does NOT prevent the user from signing in to Office 365. IMHO, expiring applies to AD only and not Azure AD, so Office 365 access continues. Only if you were to have AAD:PTA (https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta) or ADFS (https://docs.microsoft.com/en-us/windows-server/identity/active-directory-federation-services) would expiring potentially (I don't have either of these setups) have the outcome you are describing.
Disabling an AD account does prevent the user from signing in to Office 365.
If expiring is what you wish to continue doing, you could try a workaround of also resetting the user's AD password upon account expiration. Since password resets are synced to Office 365, that should give you the best of both worlds by blocking future Office 356 sign ins until an AD admin can fully disable the account (which would block Office 365 access).
As for the poster asking for a way to kill existing Office 365 sessions, try these suggestions: