Hi Roland,
We have a feature request again, unsure if it's too far away from LAM's
core business or not. (or if there is more interest in it at all)
Here it goes: One of the problems with syncing local AD (like samba)
accounts to the Azure AD cloud (when including password hashes) is the
fact that when local AD passwords expire or accounts become disabled,
the linked account (+ password hash) in Azure AD remains unaffected.
Basically this has the effect that expired AD users can continue to
logon to office365 and other Azure-connected applications using their
on-prem password as if nothing happened.
We feel this behavior is a security risk (that's the way we look at it
anyway) and since LAM knows all about account status, password
expiration dates, etc, it seems LAM is a logical place to look at. :-)
Would it be possible to somehow extend LAM with functionality that would
update users in Azure AD, based on their on-prem AD status?
(specifically just for password expired, or account disabled)
All the other syncing is done by the microsoft tools, it seems to be
just these things that the microsoft tools somehow ignore.
All the best,
MJ
_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public
