If you're worried or have seen issues before with ActiveSync continuing to work even after a user's AD/Office365 account has been disabled, this guide will help you prevent that from occurring in the future. ActiveSync devices with long heartbeat intervals can allow access to content/mailbox for up to 24 hours after an account has been disabled.

The best practices for completely disabling user access within Office365 and Active Directory in this post have been gathered from various sources, including Microsoft Docs.

Before an account has been disabled, you should do the following:

  1. Trigger a remote wipe of the device (optional) - This may or may not be something that you will want to do depending on company policies.
  2. Implement a block of all their devices (if not using remote wipe):

If using Office365:

Get information about the user and devices

Get-CASMailbox | Select ActiveSyncAllowedDeviceIDs, ActiveSyncBlockedDeviceIDs

Get-ActiveSyncDeviceStatistics –Mailbox | fl DeviceID

Block all Devices for a user

Set-CASMailbox -Identity -ActiveSyncBlockedDeviceIDs "<DeviceID_1>,<DeviceID_2>"

3. Disable ActiveSync

Set-CASMailbox -Identity -ActiveSyncEnabled $false

4. Disable the mailbox (at least temporarily)

5. Disable the AD account.

It can take around 5-10 minutes for the ActiveSync device blocking to go into effect. Other settings may take up to 20 minutes due to caching.

If these Office365 best practices for disabling user access have helped you, there is nothing else you need to do.