How to Block Disabled user accounts from syncing with Azure AD Connect

Azure AD Connect tool that let’s you synchronize your on-premises AD accounts to Azure AD. So I thought: what happens when you have some disabled user accounts in your on-premises AD environment? Do you really need them to synchronize? Probably not.

So we’ll see what you have to do in case you don’t want to bring up to Azure AD your disabled user accounts. First, you have to launch the Synchronization Editor Rules tool on your local computer, and create a new Inbound synchronization rule, using the settings that you see in the next picture. The “Connected System” should be your local domain or forest:

Click “Next” and in the Scoping filter dialog box select the Add Group button and then the Add Clause button. Select useraccountcontrol for the Attribute and then select the ISBITSET operator with a value of 2 (If you want to know what is really this value, take a look here:

Click the Next button and skip the Join Rules dialog box. In the Transformations dialog box click the Add Transformation button and select from the list a Constant FlowType. Then you should select the cloudFiltered Target Attribute and the value should be True, as in the next picture:

You should now click the Add button to create the new rule. The new rule will be used after a Full Sync, so if you don’t force a sync you should wait for some minutes, or you could start a manual Full Sync using the Synchronization Service Manager:

If you do a Metaverse search, you can clearly see that when you check the properties of the disable user, there is an attribute called cloudfiltered, which is now set to true:

If you check your user accounts list in the Azure AD portal, you can see that the disabled user is not on the list, because it was not synchronized:

Note – When you have a local AD account and you disable it on-premises, it syncs up to AAD and does not show up as a soft deleted account anymore in Azure AD, but updates the account with the BlockCredential set to True on the Get-MsolUser object; which means the user account will not be able to login to any of the services in AAD and have AccountEnabled set to True.


Comments (1)

  1. Ambrosio Cantu says:

    We put this in place, and I didn’t expect it to remove all of our exchange resources… did I miss a step, or is this expected behavior? I figured the metaverse object type would have filtered between a person and a resource.

Skip to main content