0

One of our users recently switched roles to a new position where they will not need computer access anymore, except for checking emails. I need to disable their AD account while not removing their Outlook login or mailbox.

My first thought was to remove the proxyAddress attribute value in AD, do a sync, then disable the user in AD. But what I've read is that you need to disable the user in AD, or move them into a unsynched OU, then go into 365 admin portal and re-enable their account, and delete the immutable ID. I'd love to get confirmation if this is right.

I can't find a consistent answer on google and don't want to risk losing their mailbox.

justdoingmyjob
  • 103
  • 3

2 Answers2

2

How are they going to check their email if not from a computer? Will they only be accessing their email from a mobile device/smartphone?

At any rate, if you "unsync" the user they'll then be deleted in Office 365 and you can then simply restore the user in Office 365 and they'll become a "cloud only" account. There's no need to modify any attributes.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • I've heard some people set the logonHours to zero/none. Not an ideal solution. – Greg Askew Apr 05 '23 at 20:38
  • 1
    Yes, they can only access their email from a kiosk web browser or their phones. This worked for me, much simpler than the hundreds of forum posts which add many very complicated steps. Thank you! – justdoingmyjob Apr 06 '23 at 20:10
  • 1
    @justdoingmyjob Glad to help. Just make sure the on premises user account is not in scope of Azure Ad Connect so that they aren't resynced to the Office 365 account. – joeqwerty Apr 06 '23 at 21:18
  • Perfect! very helpful man, thanks a bunch. Is there any way to see on the AD end which OUs are synched to AAD? I don't have permissions to look at AAD Connect apparently. I'm just a junior sys admin so yeah. But through trial and error I found one which isn't synched. – justdoingmyjob Apr 07 '23 at 14:16
0

You can info the following steps to configure it:

  1. Remove the Exo License
  2. Clear the mailbox info as before: Set-User xxx@Company portal .com -PermanentlyClearPreviousMailboxInfo
  3. Resync - ensure the MSExchangeGuid is Synced
  4. Re-add Exo License to mailuser in 365

At this point, the Exo Mailbox should not be created if the mailbox is on-prem.

falaisi
  • 41
  • 2