In hybrid environments where user activity is split between Microsoft 365 (Microsoft Entra ID) and on-premises Active Directory, it's important to keep both directories clean and secure. This article explains how to set up an automation in ADManager Plus to automatically disable on-premises AD accounts when users are inactive in Microsoft Entra ID while ensuring active on-premises users remain unaffected. This helps IT teams streamline deprovisioning, reduce security risks, and maintain directory hygiene without disrupting legitimate access.
ADManager Plus is installed and connected to both your on-premises ADand Microsoft 365 tenant.
Your technician account has the permission to create automations and manage user accounts.
Inactive user reporting is enabled in Microsoft 365, and AD auditing is configured to capture last logon details.
You're using a version of ADManager Plus that supports conditional automation (available in most recent builds).
Log in to ADManager Plus and go to Automation > Create New Automation.
In the Automation Name field, provide a clear name for your automation.
Use the Description field to briefly explain the purpose of this automation.
Set Automation Category to User Automation.
Under Select Domain, choose the domain and OUs where the automation should run. You can exclude child OUs if needed.
For Automation Task/Policy, select Disable Users.
In the From Reports drop-down:
Select Microsoft 365 Reports as the category, then choose the Inactive Azure AD Users report.
Customize the inactivity period based on your policy.
Check both Exclude Active AD Users and Exclude objects modified by the previous execution of this automation.
Click OK to save the report selection.
Set the schedule under Run at. Choose how frequently the automation should run (e.g., hourly, daily, weekly, monthly, or a custom interval).
Enable Notifications to alert stakeholders via email or SMS.
Click the Edit icon to select or create a notification template.
To avoid multiple alerts per task, check the Send only Consolidated Report option while creating the template.
Click Save to schedule the automation or Save & Run to execute it immediately.
After execution, go to Reports > User Reports > Account Status Reports > Disabled Users to verify the results or click the icon to see the automation history and details.
Enable Implement Workflow to avoid accidental disables during initial rollout.
Periodically review and update your business rules and report filters to ensure they align with current security policies.
Maintain a list of excluded accounts, such as VIPs or service accounts, that may show up as inactive but should not be disabled.