Sync settings unexpected result - Unsuspending aad users with login blocked

[cbrherms]

Hi, currently having an issue when a specific set of options are enabled at the same time.

At present we have the following checked

[x] Create accounts in Moodle for users in Azure AD
[x] Update all accounts in Moodle for users in Azure AD
[x] Suspend previously synced accounts in Moodle when they are deleted from Azure AD
[ ] Delete previously synced accounts in Moodle when they are deleted from Azure AD (requires "suspend" option above)
[x] Re-enable suspended accounts for users in Azure AD
[x] Sync disabled status

Suspending/unsuspending has only recently been included in our syncs so i'm unsure when this result was introduced.

The issue we are having though is while deleted users in azure ad are being suspended correctly, users we previously suspended on moodle and revoked login on azure AD are being re-enabled within moodle.
I'm assuming this isn't an expected behaviour and the re-enable code is ignoring/overriding the disabled status code?

[weilai-irl]

Hi @cbrherms,

It looks to me that the user sync is doing what it's suppose to do.

In your example:

• A Moodle account is connected to a Microsoft account some time ago, and I assume the user is using auth_oidc.
• Some time later, the Moodle account is suspended.
• If the "Re-enable suspended accounts for users in Azure AD" option is checked, when running the user sync task, if the Microsoft account connected to the Moodle account is active, the Moodle account would be unsuspended.

Is this not what you expect for the option?

Regards,
Lai

[cbrherms]

Hi @weilai-irl

Sorry, I was unclear in my initial comment.

At present, the following is occurring with the mentioned settings checked.

User A -

• Present on both Azure AD and connected to an account on moodle using auth_oidc
  AD status: login allowed
  Moodle status: active
• User then deleted in Azure AD
• Next sync occurs
  Result: Linked moodle account suspended - Expected
• User A recovered from Azure AD recycle bin
• Next sync occurs
  Result: Linked moodle account unsuspended - Expected

User B -

• Present on both Azure AD and connected to an account on moodle using auth_oidc
  AD status: login blocked
  Moodle status: suspended
• Next sync occurs
  Result: Linked moodle account unsuspended even though login to Azure AD blocked - Unexpected

My expectation was that if a user was blocked from logging in to Azure AD, then they would be suspended in Moodle, if unblocked in Azure AD then unsuspended, but it appears that with the above settings it is just paying attention to the linked Azure accounts presence rather than its allowed/blocked Azure AD login status?

Pseudo of expected:

IF Exists_in_AD {
    IF AD_login_blocked {
        moodle_account: suspended
    }
    ELSE {
        moodle_account: active
    }
    ENDIF
}
ELSE {
    moodle_account: suspended
}
ENDIF