Note: This question is part of a series of questions that present the same scenario.
Each question in the series contains a unique solution that might meet the stated goals.
Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it.
As a result, these questions will not appear in the review screen.
You have an Active Directory forest that syncs to an Azure Active Directory (Azure AD) tenant.
You discover that when a user account is disabled in Active Directory, the disabled user can still authenticate to Azure AD for up to 30 minutes.
You need to ensure that when a user account is disabled in Active Directory, the user account is immediately prevented from authenticating to Azure AD.
Solution: You configure password writeback.
Does this meet the goal?
Click on the arrows to vote for the correct answer
A. B.B.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/choose-ad-authnNo, configuring password writeback does not meet the stated goal of immediately preventing a disabled user account in Active Directory from authenticating to Azure AD.
Password writeback is a feature that allows password changes made in Azure AD to be written back to the on-premises Active Directory, which can be useful in certain scenarios such as enabling self-service password reset for on-premises users. However, password writeback does not address the issue of disabled users being able to authenticate to Azure AD for up to 30 minutes.
To immediately prevent a disabled user account from authenticating to Azure AD, you can use Azure AD Connect to enable the "Directory extension attribute sync" feature and then set a value for a custom attribute in Active Directory when a user account is disabled. You can then use this custom attribute in Azure AD to block authentication for users with that attribute value.
Alternatively, you can use Azure AD Identity Protection to create a policy that detects and blocks sign-ins from accounts that have been disabled in Active Directory. This approach allows you to implement more granular controls, such as defining different policies for different groups of users or setting different response actions for different types of risk.