question

ChristopherRussell-5872 avatar image
0 Votes"
ChristopherRussell-5872 asked ·

Delete Users in Azure Active Directory Admin Center that were Synced from On-Premise AD

Hello,

I was wondering if someone could help me answer this question. I have users in Azure Active Directory Admin Center that were directory synced from an on-premises Active Directory. These users have been deleted from the on-premise Active Directory but they still exist in Azure Active Directory. Is there any way to use synchronization to remove these users from Azure Active Directory Admin Center?

A little background on how this happened. My boss signed up for Microsoft Office 365 and he created user accounts for everyone in the IT dept directly in Office 365. This Office 365 was supposed to be for the staff only and my boss wanted us to input the rest of the staff. My boss suggested either having separate cloud accounts for the staff, or we could do Ad connect to keep it as a single login for the staff. We decided to do AD connect because one less sign-in the better since our staff already have a minimum of three and have a hard time with those already. So when we installed AD connect we allowed it to sync everything. The problem comes in that we have a ton of students in our Active Directory, and they use Chromebooks. There is no need for them to have domain accounts or for those to have been synced into Azure Active. Yes I know, if we would have done it differently, we could have synced just the OU's we wanted and bypassed this mess. So we went ahead and deleted all of those users from our on-premises Active Directory, but after 7 days of delta Syncs, delta imports, and exports, these student users still exist in our Azure Active Directory Admin Center.

I have been searching and not really finding a concrete answer. I have also used the following to try and get a solid understanding of the process.

https://techcommunity.microsoft.com/t5/tag/Synchronization/tg-p/board-id/CoreInfrastructureandSecurityBlog

https://medium.com/alexfilipin/azure-ad-connect-dispel-the-fear-33446616de12

So when I use the Synchronization Service from Azure AD Connect GUI, I see on the AAD after a delta Sync or a Full Sync that there are 1049 disconnectors. When I use the connector space and change the scope to Pending Import and checkmark add, it's the same 1049 and the student accounts that were deleted from the On-Premise AD. So have these accounts been orphaned? If they are orphaned then is the only way to get rid of them is through bulk deletion? Is there no way for me to use synchronization to export the On-Premise AD to AAD and overwrite everything?

https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/object-deletions-not-sync

I know this is a lot and hopefully, I explained it well enough that I didn't lose anyone. Any help that can be given is appreciated.

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

michev avatar image
0 Votes"
michev answered ·

Forcing a Full sync should resolve this, alternatively you can delete them directly in Azure AD via the Remove-MsolUser cmdlet: https://docs.microsoft.com/en-us/powershell/module/msonline/remove-msoluser?view=azureadps-1.0

· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello Michev,

That is one of the things I tried. I was trying to find a guide/info on how to use ad connect synchronization. I came across this guide and ran both full import and full sync. I had seen under the operations tab that the logs showed a full import and full sync were only run once. The rest were ad sync just doing delta syncs and delta imports.
https://medium.com/alexfilipin/azure-ad-connect-dispel-the-fear-33446616de12

Although this didn't do anything. According to the full sync, it shows that there are no disconnectors on the AD side. I'm guessing because these users don't exist on the AD side. When I do a search on the connector space for AD and checkmark deleting there are none. Although when I run full sync on the Azrue AD side, its shows 1049 disconnectors. When I search its connector space for add, it shows all the users still in Azure AD.

Do I need to do an export from AD to Azure AD, after I do the full sync?

0 Votes 0 ·

Also, someone pointed out that this is probably the reason for the error.
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-prevent-accidental-deletes

I was not the one to run this, so I don't know what errors or warnings were given when all the accounts were deleted in AD. Although, I guess this makes sense, because it just prevents Azure from making the changes, but not from the AD side. The thing is, so much time has passed, that the logs for ad sync don't go that far back. Is there a way to see a complete log, or does it only go back so far? Any help you can give is welcome and appreciated and thank you for your assistance so far.

0 Votes 0 ·