I'm facing a frustrating issue with two employees who are returning after termination in my OnPrem/Azure joined environment. Normally, when an employee leaves, we disable their account, remove their E5 license, and convert their mailbox to a shared one, which then gets moved to the terminated users' OU. Now that these two are back, I can't seem to keep their accounts enabled on the M365 side. I've managed to move them to the correct OU, enable their OnPrem accounts, reset passwords (since we sync one way), revert their mailboxes from shared to regular, and assign licenses again. I even revoked their old authentication methods! Yet, with every sync through Microsoft Entra Connect, their Azure accounts keep getting disabled again. Interestingly, their OnPrem accounts remain enabled. What could possibly be going wrong?
3 Answers
Double-check that the ImmutableIds in Azure and OnPrem match up. That could be causing issues with syncing and preventing their accounts from remaining enabled.
Have you checked if the sync process might be creating new user objects while disabling the old ones? It could explain why their accounts keep getting disabled after the sync. The logs might give you a better idea of what's happening.
If all else fails, it could be simpler to just delete their accounts and set them up from scratch. Though I get that it's not always the ideal solution.
I would totally go that route if it were an option, but unfortunately, it's not right now.
No new objects are being created; I can see their title changes in Azure, so the account is syncing. But according to the logs, the account is still being disabled during the sync.