Auth0 Home Blog Docs

Prevent renewing Refresh Tokens when Active Directory user is disabled

active-directory
refresh-tokens

#1

Hello,

We want to make sure that our users are logged out of our application when their Active Directory account is disabled. We’re using Refresh Tokens and they keep being successfully renewed even after the AD account is disabled.

There doesn’t seem to be a way to get the AD account status field (“userAccountControl”) in Auth0 so we can’t create a Rule that would block the user or revoke the Refresh Tokens based on it.

Is there any way to achieve this?

Thank you!


#2

Quick update, I’m still unable to achieve what I want, but I was able to get the “userAccountControl” field with Profile Mapping. However, it looks like the AD user stops getting synced to Auth0 when it’s disabled, so the change in “userAccountControl” is never visible to create a Rule.

Is there any way to make sure that AD users are still synced to Auth0 after they’re disabled? I tried playing with the config.json LDAP_SEARCH_* parameters, with no success.