Removing Azure AD user memberships and Roles assignment in Hybrid AD scenario ?

Question

People,

I'm currently running Hybrid AD DS - Azure AD using Azure AD Connect to sync.

When the user is disabled from the OnPremise AD DS, and then not synched with Azure AD,
Do I still have to run the below script to completely remove the user memberships and roles assigned?

**

Remove-AzureRoleAssignment  
Remove-AzureADGroupMember  
Remove-AzureADDirectoryRoleMember  

**

Answer 1

Hi @EnterpriseArchitect

Thank you for asking this question on the **Microsoft Q&A Platform. **

If you disable a user on-premises will be still synchronizing to Azure, but it won't be able to log in.

If you what that the user to disappear from your Azure AD, you can:

1. delete the user in your On-premises AD; or
2. move the user to an OU that is not synchronizing to Azure AD

Hope this helps,
Carlos Solís Salazar

----------

Accept Answer and Upvote, if any of the above helped, this thread can help others in the community looking for remediation for similar issues.
NOTE: To answer you as quickly as possible, please mention me in your reply.

---

Answer 2

Hello

Thank you for your question and reaching out. I can understand you are having issues related to Ad Sync.

I believe Unless the OU or account is filtered by an attribute, all accounts will sync - even if they are AD disabled

In your case Please try to verify any Sync error or if there are attribute filtering in AAD connect.

Reference :
https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/objects-dont-sync-ad-sync-tool

https://learn.microsoft.com/en-us/microsoft-365/enterprise/fix-problems-with-directory-synchronization?view=o365-worldwide

--If the reply is helpful, please Upvote and Accept as answer--