Hi, I am looking for a method to disable an Azure cloud account when a change to an on-premises user happens. What I am thinking about is: The on-premises AD user has the cloud UPN filled in on extensionAttribute1 ( John.Doe@company.onmicrosoft.com ) When the on-premises user is disabled, a workflow should check the value of extensionAttribute1 and execute a Powershell script to disable the user in the Cloud. I am not using Azure AD connect to sync users between on-premises and the cloud and the 2 identities are completely separate from each other. Any suggestions? Thanks.

If you have your tenant properly configured and all on-premises objects correctly synchronized with their corresponding Cloud equivalents in Active Roles, you can efficiently disable the Cloud object by setting the attribute `edsaAzureUserAccountEnabled` to `FALSE`. This will deactivate the Cloud account without the need to resort to using the Graph API <a href=" ">https://upbhulekh.org/">up bhulekh</a>.

Disable Azure User through Microsoft Graph Powershell

sander.martijn 9 months ago

Hi,

I am looking for a method to disable an Azure cloud account when a change to an on-premises user happens.

What I am thinking about is:

The on-premises AD user has the cloud UPN filled in on extensionAttribute1 (John.Doe@company.onmicrosoft.com)
When the on-premises user is disabled, a workflow should check the value of extensionAttribute1 and execute a Powershell script to disable the user in the Cloud.

I am not using Azure AD connect to sync users between on-premises and the cloud and the 2 identities are completely separate from each other.

Any suggestions?

Thanks.

Parents

0 JohnnyQuest 9 months ago

Assuming you have your tenant configured / connected in Active Roles and all objects matched up with their Cloud equivalents, you don't have to resort to Graph for this.

Rather, you can just set the attribute edsaAzureUserAccountEnabled to FALSE and this will disable the Cloud object for you.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 JohnnyQuest 9 months ago in reply to JohnnyQuest

UPDATE:

Rather, you can just set the attribute edsaAzureUserAccountEnabled on the on-premises AD user to FALSE and this will disable the Cloud object for you.

You do this using Set-QADUser -proxy etc. OR using the more complicated ADSI method - whichever you are most comfortable with.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 JohnnyQuest 9 months ago in reply to JohnnyQuest

UPDATE:

Rather, you can just set the attribute edsaAzureUserAccountEnabled on the on-premises AD user to FALSE and this will disable the Cloud object for you.

You do this using Set-QADUser -proxy etc. OR using the more complicated ADSI method - whichever you are most comfortable with.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

0 JohnnyQuest 9 months ago in reply to JohnnyQuest

....or easiest of all, in a Change Workflow which you said you were planning to use, you can just use an Update Activity to set this.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel