Hi, I am looking for a method to disable an Azure cloud account when a change to an on-premises user happens. What I am thinking about is: The on-premises AD user has the cloud UPN filled in on extensionAttribute1 ( John.Doe@company.onmicrosoft.com ) When the on-premises user is disabled, a workflow should check the value of extensionAttribute1 and execute a Powershell script to disable the user in the Cloud. I am not using Azure AD connect to sync users between on-premises and the cloud and the 2 identities are completely separate from each other. Any suggestions? Thanks.

If you have your tenant properly configured and all on-premises objects correctly synchronized with their corresponding Cloud equivalents in Active Roles, you can efficiently disable the Cloud object by setting the attribute `edsaAzureUserAccountEnabled` to `FALSE`. This will deactivate the Cloud account without the need to resort to using the Graph API <a href=" ">https://upbhulekh.org/">up bhulekh</a>.

Disable Azure User through Microsoft Graph Powershell

sander.martijn 9 months ago

Hi,

I am looking for a method to disable an Azure cloud account when a change to an on-premises user happens.

What I am thinking about is:

The on-premises AD user has the cloud UPN filled in on extensionAttribute1 (John.Doe@company.onmicrosoft.com)
When the on-premises user is disabled, a workflow should check the value of extensionAttribute1 and execute a Powershell script to disable the user in the Cloud.

I am not using Azure AD connect to sync users between on-premises and the cloud and the 2 identities are completely separate from each other.

Any suggestions?

Thanks.

Parents

0 JohnnyQuest 9 months ago

Assuming you have your tenant configured / connected in Active Roles and all objects matched up with their Cloud equivalents, you don't have to resort to Graph for this.

Rather, you can just set the attribute edsaAzureUserAccountEnabled to FALSE and this will disable the Cloud object for you.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 sander.martijn 9 months ago in reply to JohnnyQuest

So my on-premises user (testuser@ad.local) has an extensionattribute1 (value: John.Doe@company@onmicrosoft.com) filled in. What I want is that during the deprovisioning of the account "testuser@ad.local) the cloud only account "John.Doe@company.onmicrosoft.com" gets disabled.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 JohnnyQuest 9 months ago in reply to sander.martijn

You need to make a Change Workflow that is configured with an OnDeprovision start condition, and contains an Update Activity that sets the edsaAzureUserAccountEnabled property of your testuser@ad.local (identified as the Workflow Target) to FALSE.

Assumption: You have Active Roles admin service setup to communicate with your Office 365 tenant.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 JohnnyQuest 9 months ago in reply to sander.martijn

You need to make a Change Workflow that is configured with an OnDeprovision start condition, and contains an Update Activity that sets the edsaAzureUserAccountEnabled property of your testuser@ad.local (identified as the Workflow Target) to FALSE.

Assumption: You have Active Roles admin service setup to communicate with your Office 365 tenant.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

0 JohnnyQuest 9 months ago in reply to JohnnyQuest

Second assumption: Your testuser@ad.local user's edsvaAzureObjectId contains the GUID of your Office 365 object John.Doe@company.onmicrosoft.com
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 sander.martijn 9 months ago in reply to JohnnyQuest

Hi,

Just to be sure but do you mean the Synchronization Service or Azure AD Configuration settings in the Configuration Center?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 JohnnyQuest 9 months ago in reply to sander.martijn

Azure AD Configuration settings in the Configuration Center
Cancel
Up 0 Down

Reply

Verify Answer

Cancel