question

TomassPetersons avatar image
0 Votes"
TomassPetersons asked DGS-9585 commented

Remove extension properties from sync

Hi,

For testing I added some directory extensions to sync with Azure AD:
alt text

After that I started to receive error messages:

 Unable to update this object in Azure Active Directory, because the attribute
 [extension_2241f0b77381486bb25ee28906a52afd_thumbnailPhoto], in the local Directory
 exceeds the maximum allowed length. If you want to update, reduce the length in the
 local directory services, and then try again

I removed those directory extensions from sync. But I still receive error messages. Powershell returns this:
alt text

How I can remove those extension properties from sync?



azure-active-directory
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

I think meanwhile the issue is solved but for others with the same problem the solution is described in the following article from microsoft.

The way to only deselect the extension attribute in the Azure AD Connect wizard only works if it was never synchronized to Azure AD, otherwise you need to create custom rule to set the value on empty.


https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration#do-not-flow-an-attribute

There are two ways to not flow an attribute. The first is by using the installation wizard to remove selected attributes. This option works if you have never synchronized the attribute before. However, if you have started to synchronize this attribute and later remove it with this feature, the sync engine stops managing the attribute and the existing values are left in Azure AD.


Best regards,
Marcus

https://blog.matrixpost.net

0 Votes 0 ·
amanpreetsingh-msft avatar image
0 Votes"
amanpreetsingh-msft answered

@TomassPetersons Did you run full sync after you removed these extension attributes? Removing extension attributes from sync scope requires a full sync.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

bwd-3103 avatar image
0 Votes"
bwd-3103 answered ShadabBasha-7764 commented

Same thing is happening to me, and I performed a full sync after removing the attribute extension. I don't know why it is trying to sync an attribute that does not exist.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@amanpreetsingh-msft -

Hello Aman,

Please advise.

Tested it just now, Enabling Directory Extension adds the sync rule and attributes.

Deselecting the attribute from Directory Extensions removes the rule and Metaverse Attribute for the Extension , however doesnt trigger deletion for the attribute and value connected to objects( Example : user objects).

Also just removing the value using the options mentioned in the article below, doest fix the issue as the main goal is to remove the extension attribute along with the value from each effected object.

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-the-configuration#do-not-flow-an-attribute

Suggestion: Similar to how we are adding rules to add the extension attribute and, there should be Sync Rules added to remove the values as well.

Please confirm what is the recommended way of removing the extension attributes and values from the impacted objects ?

Impacted object means, objects which currently has the extension attribute with value populated.

111931-image.png


1 Vote 1 ·
image.png (3.9 KiB)
KaranSharma-0565 avatar image
0 Votes"
KaranSharma-0565 answered DGS-9585 commented

Agree with ShadabBasha-7764's comment. I am experiencing the same where I cant remove the attribute even though I have deselected it from AAD sync.

We need a way of removing the extension attribute. Can anyone from Microsoft suggest a way to resolve this?

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Today i had a similiar problem (with users) and stumbled on this entry. For anyone who wants to remove the extension attributes after deselecting or disabling extension synchronisation for users(and doing a full sync), you can do it via powershell.


https://docs.microsoft.com/en-us/powershell/module/azuread/remove-azureaduserextension?view=azureadps-2.0



[TESTED]The the bulk operation for users:

 Get-AzureADUser -Filter "DirSyncEnabled eq true" -all $true | ForEach-Object {$_ | Remove-AzureADUserExtension -ExtensionName "replace with your extion name"}

conversation with myself
Does this have any impact if we remove it? -> not really right?
Is it clean if we remove it? -> for sure!
Could this be implemented in the sync? -> please microsoft!
Is it really gone? -> not really, it's still visible at some configuration points in Azure, maybe it's gone in some days


[DISCLAIMER]
If there are any errors, in the output investigate, i had one and the property was not removed, after resolving it everything went smoothly (*thank god i've seen this error it saved alot of time for my next project :D )




0 Votes 0 ·

You notice in my last post i said i couln't fully clean it.
Triggered me hard, and read through everything I found on the web
This was because the AzureADMSApplication named Tenant Schema Extension App still contains it. (Created when you first sync extension attributes)
Once you created the extension in it, you will be unable to remove it! [Tried the command "Remove-AzureADMSApplicationExtensionProperty" but only getting a permission error ](I've seen some microsoft support requests where they removed the whole ADMS Application...)


I hope this happens to no one... thanks microsoft

Also I found a post which describes that you can null the value in the sync rules, but I think my script does the job :D .

These are the things microsoft does to me which don't let me sleep at night

0 Votes 0 ·