AccountExpire is not synchronized by AAD Connect
I see, that a lot of people has some pain to synchronized the Account Expiry from on-premises Active Directory to Azure AD using AAD Connect.
There are two or more requests on this topic:
and
The reason for this is, that AAD Connect picks up changes from the on-prem AD and the AccountExpires attribute is a static attribute, where you can configure a dateTime (as ticks), when the account should expire. If this date is reached then the account is expired, but there is no change on the object itself. As we know, AAD Connect works state based, this means, AAD Connect picks up changes using the DirSyncControl. Since there is no change on the object, because the configured date on the object itself is static date and this date is reached, there is no change to pick up by AAD Connect. This is the reason, why AAD Connect can’t sync this change.
There are some documented workarounds, but these either requires a script that runs regularly (at least once a day) as mentioned here:
or the other solution, what required to run the full sync run profile on the on-prem AD Connector at least once a day:
https://myserverissick.com/2019/01/how-to-make-azure-ad-connect-disable-expired-accounts/
I think, that the best solution for this issue is to add a new connector (management agent), where this agent can calculate and populate this value. I’ll evaluate this option and will publish here soon……
Happy Troubleshooting!