Termination Best Practices for Office 365 Azure AD

Category: azure windowsazuread


Chris_CHC on Thu, 12 Jan 2017 23:11:18

background: We are a hybrid Office 365 customer with Azure AD premium. We sync on premise AD to the Azure AD (but no passwords). We use an On Premise IDP for SSO (not ADFS). 

challenge: when a user is terminated, we disable the AD account, which syncs to the Azure AD user. because the user is actively signed into Exchange Online with an STS token, thus bypassing SSO authentication with the IDP until it expires. How can we ensure that the user cannot access Office 365 immediately, including killing active sessions. Ideally the solution should be executed via Azure AD power shell, not in the Admin Console. Any examples would be appreciated.


Loydon Mendonca on Fri, 13 Jan 2017 17:47:06

Hello Chris,

Thank you for posting on the Microsoft Azure forums!

You can follow the below steps to disable access.

1- Change the password on the mailbox
2- Remove the mailbox using the “Remove-Mailbox” command
For example:
Remove-Mailbox -Identity "Loy Castro"
Wait 15 minutes

3- Restore the mailbox

Restoring the mailbox is an important step in this process, since the mailbox will be automatically deleted if you do not restore it within 30 days.

Let me know if this helps.

I shall be moving this thread to Azure Active Directory forums since this appears to be in the wrong place.



When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer so that other customers can benefit from it.