Feedback by UserVoice

Kenneth West

My feedback

  1. 519 votes
    Sign in
    Sign in with: Facebook Google
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    An error occurred while saving the comment
    Kenneth West commented  · 

    Fellow Office 365 admin here with a similar concern as the OP and others below.

    Is everyone here referring to literally expiring an AD account (accountExpires attribute) or truly disabling an AD account (userAccountControl attribute)? Those are fundamentally different operations with different outcomes.

    Expiring an AD account does NOT prevent the user from signing in to Office 365. IMHO, expiring applies to AD only and not Azure AD, so Office 365 access continues. Only if you were to have AAD:PTA ( or ADFS ( would expiring potentially (I don't have either of these setups) have the outcome you are describing.

    Disabling an AD account does prevent the user from signing in to Office 365.

    If expiring is what you wish to continue doing, you could try a workaround of also resetting the user's AD password upon account expiration. Since password resets are synced to Office 365, that should give you the best of both worlds by blocking future Office 356 sign ins until an AD admin can fully disable the account (which would block Office 365 access).

    As for the poster asking for a way to kill existing Office 365 sessions, try these suggestions:

Feedback and Knowledge Base