In this two-part article, I have laid out a scenario in which DirSync sets the Azure “BlockCredential” attribute of disabled Active Directory users. In Part 1, I explained how the Windows Azure Active Directory Sync tool (DirSync) causes this to happen. Part 2 (below) discusses how to change this behavior.
—
Last time, we saw that magic a rules extension prevents a user from logging into Office 365 if their on-premises Active Directory account was disabled. Below, I’ll show you how to override this attribute flow, but first a note on Microsoft Support:
NOTE: Changing the behavior of DirSync means that you may wander into “unsupported” terrain, but in my experience, unless an unsupported change is likely the cause for a given problem, Microsoft’s support staff have been understanding and have yet to terminate a support case without cause. Having said this, you should not expect Microsoft to incorporate your changes into their upgrade path, so be sure to document, backup, and plan upgrades accordingly.
As you’ll recall, the existing attribute flow is:
userAccountControl à Rules Extension à accountEnabled à Metaverse
Metaverse à accountEnabled à BlockCredential
We will adjust it to the following:
userAccountControl à Rules Extension à accountEnabled à Metaverse à <Nowhere>
In essence, we are allowing the rules extension to update the Metaverse, but not allowing the Azure MA to flow to the BlockedCredential attribute. This ensures changes in the on-premises Active Directory (such as disabling accounts) will not prevent login to Office 365 (be sure this is actually what you want before you proceed). Fortunately it also does not necessarily prevent an administrator from setting BlockedCredential manually on Office 365 users.
With our game plan, let’s begin by firing up the trusty miisclient.exe; usually located here:
C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
We’re almost done! Two tasks remain:
- Test our change by:
- Creating a new AD user, ensure they sync to Office 365 and that they can log in
- Disable the user’s AD account, run another sync and ensure they can still log in.
- Determine how to update users that were disabled before our change. If you simply want to re/enable all currently disabled accounts, the below PowerShell sample might work well:
Connect-MsolService $BlockedUsers = Get-MsolUser -EnabledFilter DisabledOnly -All $i= 1 $BlockedUsers | ForEach-Object { Write-Host ($_.UserPrincipalName + " (" + $i + " of " + $BlockedUsers.count + ")" ) Set-MsolUser -UserPrincipalName $_.UserPrincipalName -BlockCredential $false $i = $i + 1 }
Thanks to William Yang for his advice on this post.