Changed from all OU to single OU and users outside of scope are not removed.

S T 101 Reputation points
2020-06-03T10:43:58.607+00:00

We have run the full sync options in the sync client as suggested in other places with no luck. The amount of deletions is under the default threshold. New users are syncronising so Azure AD Sync is working.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,569 questions
0 comments
Accepted answer
  1. S T 101 Reputation points
    2020-06-03T16:05:01.09+00:00

    I managed to "fix" this.

    Since the sync service wasn't showing any deletes in the queue I went back into the ADSync wizard and told it to sync the entire directory. Waited for it to complete, returned to the ADSync wizard and selected my single OU. sync service then said there were a good number of deletions, took a while but they applied online eventually.

    I basically turned it off and on again... should have realised.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-06-03T11:15:15.863+00:00

    Hi @S T ,

    In Azure AD Connect, prevent accidental deletes is enabled by default and configured to not allow an export with more than 500 deletes. If you have more than 500 users to be deleted, you need to disable it by using below cmdlets:

    1. To retrieve the current deletion threshold, run the PowerShell cmdlet Get-ADSyncExportDeletionThreshold. Provide an Azure AD Global Administrator account and password. The default value is 500.
    2. To temporarily disable this protection and let those deletes go through, run the PowerShell cmdlet: Disable-ADSyncExportDeletionThreshold. Provide an Azure AD Global Administrator account and password. Credentials
    3. With the Azure Active Directory Connector still selected, select the action Run and select Export.
    4. To re-enable the protection, run the PowerShell cmdlet: Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500. Replace 500 with the value you noticed when retrieving the current deletion threshold. Provide an Azure AD Global Administrator account and password.

    After Disable-ADSyncExportDeletionThreshold, run a full sync cycle.

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.