Office 365 / Azure AD - Identifying Disabled Users


If you need a quick way to identify users in Azure AD that are sync'd from On-Premises AD whose accounts are disabled, you can use the following script to query the "BlockCredential" property for each user in Azure AD ($true means that the user account is disabled).

Foreach ($User in (Get-MsolUser -All))
{
If ($User.BlockCredential -eq $true)
    {
    Write-Host $User.UserPrincipalName "is disabled" -ForegroundColor Red
    }
}

As you can see from the example below - dean@brendg.co.uk is a disabled user account. I recently had to use this when helping a customer to pre-provision SharePoint Online MySites (90K in total) using Request-SPOPersonalSite, we only wanted to provision MySites for "active" users, the default behaviour for Azure AD Sync/DirSync is to include disabled users (this is required for Exchange) therefore we needed to identify which users were disabled and omit these from the MySite provisioning script that we had created.

Brendan Griffin - @brendankarl


Comments (1)

Skip to main content