IT Connect
Information technology tools and resources at the UW

NETID User Inactivity

Status: The account lifecycle described on this page will be phased in January-March 2019.

Purpose

This document describes the lifecycle of accounts in the NETID Active Directory (AD) and the UW Azure AD, particularly as it relates to account inactivity. The lifecycle design allows accounts that go unused for short periods of time to be re-enabled without significant impact. Longer periods of inactivity result in a new user account with the same UW NetID, which may mean the user will need to re-establish access to resources for which that account had previously been granted explicit access (rather than via a group membership).

NETID AD and UW Azure AD account status are kept in sync

UW Azure AD accounts are provisioned based on NETID AD accounts. Therefore, the lifecycle design takes both accounts into consideration, and disabling or deleting an account in NETID AD results in disabling or deleting the corresponding account in Azure AD.

Note: in this document, “account” refers  to both the NETID AD account and the Azure AD account. It doesn’t refer to uses of or impacts to a UW NetID outside Microsoft Infrastructure.

Account lifecycle

How is inactive status determined?

The status of an account can be “active” or “inactive”.

  • Accounts without a password are considered inactive
  • Accounts that lose eligibility to have a password are disabled and considered inactive
  • Accounts that get a new password are reactivated and considered active
  • Accounts that are considered inactive are disabled
  • Accounts that have been disabled for a year will be deleted

What qualifies an account to be considered active?

An account qualifies for “active” status if any these statements are true:

  • UW NetID has a current employee or student affiliation
  • UW NetID password has changed in the last year
  • NETID AD or Azure AD have recorded a logon in last year
  • MSCA has licensed the account for Office 365 (per MSCA eligibility)
  • A delegated OU admin or other business partner like MSCA vouches that the account provides an active resource that does not logon, e.g. an Exchange resource mailbox

What specifically happens when an account becomes inactive?

First, it’s disabled.

The following changes are made to an account when it is disabled:

  1. Set the “enabled” attribute to false. This disables the AD account and the Azure AD account, after Azure AD Connect sync.
  2. Move the account object to a different OU structure, one that is still processed by Azure AD Connect and other identity data processes
  3. Set the password to a random, 128 character value using a complex character set
  4. Add the account to a group that has the ‘Deny log on’ user right

These changes allow the account to be re-enabled more easily, if needed.

Note: Logon token lifetimes allow current sessions to persist even when an account is disabled. We do not plan to revoke existing logon tokens or sessions because there is no indicated urgency to do so and they will expire normally. Other processes exist to revoke logon tokens and sessions more urgently.

After a year of inactivity, it’s deleted.

Accounts that have been disabled for a year will be deleted. The account can still be re-enabled, but permissions may need to be updated.

How do inactive accounts get re-enabled?

Refer to re-enable a NETID AD account for instructions on re-enabling accounts that have been disabled or deleted due to inactivity.