locked
Directory Synchronization & Active Directory User Account Enablement RRS feed

  • Question

  • Issue: Customers have experienced O365 accounts becoming disabled when starting O365 Directory Synchronization after a BPOS->O365 transition.

    Root Cause: If a user account is ‘Disabled’ in the local AD, when starting the O365 directory sync, this will also disable the account in O365.  This is because O365 directory sync will also sync the ‘Enabled/Disabled’ flag on user accounts causing ‘Active’ user accounts to become disabled.

    Resolution: To resolve this, the accounts in the local AD can be changed to ‘Enabled’ which will enable the same accounts in O365 when then can be reused.

    Prevention: Prior to transition, customers should review their on-prem AD for scenarios where they may have ‘Disabled’ accounts in their local AD but ‘Enabled’ accounts in BPOS.  These accounts should be ‘Enabled’ prior to transition.  If the customer cannot enable these accounts a support ticket should be raised with MSODS team on alternative configuration to NOT sync the ‘Enabled’ flag PRIOR to the initial sync in O365.

    Addition information: Customers can get into this scenario when there is a divergence in the account state between BPOS and their on-prem AD.  In BPOS, when an account is disabled in the On-Prem AD, the BPOS sync process WILL ALSO disable the account in BPOS.  However, an administrator can then ‘Enable’ the account in BPOS and it will remain ‘Enabled’ in BPOS although the account is ‘Disabled’ in the On-Prem AD thus the account is in a diverged state (BPOS=Enabled, and On-Prem=Disabled).  After the transition when the O365 sync starts up, it will identify this diverged state and change the O365 account to match on-prem state…‘Disabled’.

    Transitions Community Lead ...Ryan J. Phillips

    Friday, June 29, 2012 4:27 PM