Emails Rejected for Azure Disabled Accounts

Last updated
Save as PDF

Situation	A former employee's Proofpoint account status is disabled, but Proofpoint still processes and passes mail on to the mail server. How to enable/disable user in Azure and Proofpoint? Why are mail emails being rejected for not-Active Accounts / Disabled Accounts in Azure.
Solution	Proofpoint is honoring the Not Active/Active flag within Azure. See below for instructions on how to enable mail flow for Block Sign-In set accounts in Office 365. Accounts in Proofpoint that are active or enabled are considered licensed and is being billed. A disable or inactive user is not using a license, so it is not being billed and there is NO email flow for disable accounts

Situation

A former employee's Proofpoint account status is disabled, but Proofpoint still processes and passes mail on to the mail server. How to enable/disable user in Azure and Proofpoint?

Why are mail emails being rejected for not-Active Accounts / Disabled Accounts in Azure.

Solution

Proofpoint is honoring the Not Active/Active flag within Azure. See below for instructions on how to enable mail flow for Block Sign-In set accounts in Office 365.

Accounts in Proofpoint that are active or enabled are considered licensed and is being billed. A disable or inactive user is not using a license, so it is not being billed and there is NO email flow for disable accounts

Why are my emails being rejected for non-Active in Proofpoint/Disabled accounts in Azure ?

There has been a change in the behavior of Proofpoint Essentials, where we are now honoring the Disabled flag given by Azure.

Accounts that are Block Sign-In in Azure from logon, will be replicated and Not Active in Proofpoint. This will also prevent mail-flow to that address.

To access the Block Sign-In setting within Office 365:

Open Exchange Admin Center.
Navigate to Active Users and search for the mailbox.
Click on the address.
Block Sign-In can be seen.

If you are experiencing mail flow issues to accounts, check if the Block Sign-In setting is set to Disabled or Active. Active will need to be set to allow mail flow.
If set to Block Sign-In , the account in Proofpoint will be honored and set to Not Active.

How to enable mail flow for Block Sign-In set accounts in Office 365:

Within Proofpoint:

Navigate to User Management > Users.
Set the account from Not Active to Active by selecting Activate User.

Navigate to User Management > Import & Sync > Azure Directory Sync.
Click Save & Run Sync Now.
Under Adding/Updating, click Exempt From Sync on the right side of the window.

Click Sync Active Directory.

This prevents future syncs from converting the Active status to Non-Active and mail flow will not be impacted.