Office365 Security: Local Active Directory Expires Attribute does not disable Office365 Account

Jon Prange, Director of Managed Services | September 21, 2018

During some recent testing, we have discovered that the Local Active Directory attribute AccountExpires does not properly synchronize with Azure Active Directory (AAD), which is used with Office365. Many organizations use this feature (AccountExpires) to set a future date for an account expiration as part of their termination policy for future terminations but also for contractors and consultants.

Some organizations utilize Active Directory Federated Services (ADFS) to authenticate users, meaning that the user authenticates their sign in with the local directory so this will prevent the user from using local resources (logging into computers, VPN connections into the network, etc.) as well as Office365 services (Exchange, Sharepoint, Skype). Other organizations rely on Azure Active Directory to authenticate users and, while this does disable the user from using local resources, it does not prevent the user from signing into Office365 and using those services.

The only way to prevent the user from signing into Office365 in this scenario is through one of two methods:

  1. Disable the local account which will then be synchronized to Azure Active Directory using Azure AD Connect
  2. Edit the Sign In Status in the Office365 Console and change it to blocked

This has been reported to Microsoft as a big security flaw since it would allow users that an organization expects to be prevented from accessing resources to still access all of the Office365 services.

 

If you have any questions regarding this, simply contact our team via our web form and we’ll setup a call to discuss.

Customer story: Fleet Complete

Mobile-workforce-management company Fleet Complete not only delivered during a recent surge in business, but even after extensive flooding at their Toronto headquarters, their fast-paced business continued seamlessly.

With secure @Microsoft cloud technology, including Microsoft Azure, Teams, and Dynamics 365, the company has experience over 50% YOY growth–despite the threat of disaster.

Does your company have a business continuity and disaster recovery plan in place? Interphase Systems, Inc. can help. Contact us to learn more.

Customer story: Chesterfield County

Manual processes, handwritten logs, and paper trails are not only inefficient, but they can be costly. These outdated business management techniques often result in error, duplication, and quality-control issues that can compromise efficiency, productivity, and morale.

But with cloud-based productivity and data centralization tools such as Microsoft Dynamics 365, you can modernize your business and achieve more.

At Interphase Systems, Inc., we understand the importance of modern digital tools to help businesses move forward. Contact us to learn more. #WhyCloud

Intelligent security for the modern workplace

Imagine if you could:

Identify sensitive information automatically.

Eliminate passwords entirely in favor of biometrics or pins.

Identify, quarantine, and wipe a compromised endpoint all from a single location.

Quantify your security position and gain insights on how to improve it.

All of this and more is possible with Azure Advanced Threat Protection, just one of four valuable tools included in Microsoft 365 Enterprise E5. Interested in what other tools are available to you? Interphase Systems, Inc. has the answers to your questions. Contact us to learn more.