Prevent renewing Refresh Tokens when Active Directory user is disabled

Hello,

We want to make sure that our users are logged out of our application when their Active Directory account is disabled. We’re using Refresh Tokens and they keep being successfully renewed even after the AD account is disabled.

There doesn’t seem to be a way to get the AD account status field (“userAccountControl”) in Auth0 so we can’t create a Rule that would block the user or revoke the Refresh Tokens based on it.

Is there any way to achieve this?

Thank you!

Quick update, I’m still unable to achieve what I want, but I was able to get the “userAccountControl” field with Profile Mapping. However, it looks like the AD user stops getting synced to Auth0 when it’s disabled, so the change in “userAccountControl” is never visible to create a Rule.

Is there any way to make sure that AD users are still synced to Auth0 after they’re disabled? I tried playing with the config.json LDAP_SEARCH_* parameters, with no success.

Hey there!

Sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes the number of incoming questions is just too big for our bandwidth. Sorry for such inconvenience!

Do you still require further assistance from us?