This document describes the lifecycle of accounts in the NETID Active Directory (AD) and the UW Azure AD, particularly as it relates to account inactivity. The lifecycle design allows accounts that go unused for short periods of time to be re-enabled without significant impact. Longer periods of inactivity result in a new user account with the same UW NetID, which may mean the user will need to re-establish access to resources for which that account had previously been granted explicit access (rather than via a group membership).
NETID AD and UW Azure AD account status are kept in sync
UW Azure AD accounts are provisioned based on NETID AD accounts. Therefore, the lifecycle design takes both accounts into consideration, and disabling or deleting an account in NETID AD results in disabling or deleting the corresponding account in Azure AD.
Note: in this document, “account” refers to both the NETID AD account and the Azure AD account. It doesn’t refer to uses of or impacts to a UW NetID outside Microsoft Infrastructure.
How is inactive status determined?
The status of an account can be “active” or “inactive”.
- Accounts without a password are considered inactive
- Accounts that lose eligibility to have a password are disabled and considered inactive
- Accounts that get a new password are reactivated and considered active
- Accounts that are considered inactive are disabled
- Accounts that have been disabled for a year will be deleted
What qualifies an account to be considered active?
An account qualifies for “active” status if any these statements are true:
- UW NetID has a current employee or student affiliation
- UW NetID password has changed in the last year
- NETID AD or Azure AD have recorded a logon in last year
- The user is licensed for Office 365 (see eligibility)
- A delegated OU admin or other business partner vouches that the account provides an active resource that does not logon, e.g. an Exchange resource mailbox
What specifically happens when an account becomes inactive?
First, it’s disabled.
The following changes are made to an account when it is disabled:
- Set the “enabled” attribute to false. This disables the AD account and the Azure AD account, after Azure AD Connect sync.
- Move the account object to a different OU structure, one that is still processed by Azure AD Connect and other identity data processes
- Add the account to a group that has the ‘Deny log on’ user right
These changes allow the account to be re-enabled more easily, if needed. It is important to note that this process does not make any changes to the corresponding account stored in the UW NetID system.
Note: Logon token lifetimes allow current sessions to persist even when an account is disabled. We do not plan to revoke existing logon tokens or sessions because there is no indicated urgency to do so and they will expire normally. Other processes exist to revoke logon tokens and sessions more urgently.
After a year of inactivity, it’s deleted.
Accounts that have been disabled for a year will be deleted from the NETID Active Directory and Azure AD. The account can still be re-enabled, but permissions may need to be updated.
How do inactive accounts get re-enabled?
Refer to re-enable a NETID AD account for instructions on re-enabling accounts that have been disabled or deleted due to inactivity.