Problem
You can block a user from logging on to Office 365 by setting the BlockCredential attribute to $true.
Set-MsolUser -UserPrincipalName myuser@mcsmemail.de -BlockCredential $true
But the MSOL user attribute is reverted to $false, when ADD Connect synchronization cycle runs.
This happens because the local Active Directory attribute accountEnabled control the BlockCredential attribute in Azure AD.
Solution
Suppose your IT operation requires the ability to have enabled users in your local Active Directory infrastructure, and you need to prevent login to cloud services. In that case, you need to avoid the accountEnabled attribute from being synchronized to Azure AD. This might not necessarily be a general requirement during normal operations but might be helpful while doing a Proof-of-Concept.
Just exclude the attribute from the Azure Active Directory connector in the Synchronization Service Manager.
The following script disables all users, excluding
- Users following a specific naming pattern
- Users listed in a string array
# Userfilter
$UserExceptions = ("Sync_SYNC01_add98768492f@mcsmemail.onmicrosoft.com","SPO-SRV-ACCOUNT@mcsmemail.de","SynchedAdmin@mcsmemail.de")
# Fetch synchronized users
$DomainAccounts = Get-MsolUser -EnabledFilter EnabledOnly -MaxResults 5000 | Where-Object -Property LastDirSyncTime -ne $null
# Select synchronized users not following the pattern ADM*@mcsmemail.de (admin accounts in this case)
$DomainAccountsWithoutAdmins = $DomainAccounts | Where-Object -Property UserPrincipalName -notlike "ADM*@mcsmemail.de"
# Exclude accounts listed in $UserExceptions
$DomainAccountsWithoutAdminsFiltered = $DomainAccountsWithoutAdmins | Where-Object -Property UserPrincipalName -NotIn $UserExceptions
# Now block cloud logon for all filtered users
ForEach ($User2Block in $DomainAccountsWithoutAdminsFiltered) {
Write-Host ('Disabling User: {0}.UserPrincipalName)' -f $User2Block)
Set-MsolUser -UserPrincipalName $User2Block.UserPrincipalName -BlockCredential $true
}
Enjoy Office 365.
