question

VenugopalB-9267 avatar image
0 Votes"
VenugopalB-9267 asked bharathn-msft edited

need to clean up Federated domain

Hi Members,


Good day,


We have a federated domain in Azure. -> eg. fed.dom.lo.com

the AD Connect was set up and it had synchronized all the users in our on-prem domain controller to the Azure.

Assume we had 20k users in the specific OU, which was set for the sync. Now, the change that came in would want us to sync users which have a specific attribute set.

ie, departmentName = xyz and not all.


My doubts are as below,

1.What would happen to the existing users in Azure federated domain, would there be a clean up automatically done? ex, users synced are 20k, but users with attribute are just 3k.

2.How would we do a clean up on Azure domain?

  1. Could we delete all the users on Azure domain and add the inbound sync rule to have the limited users show up again?


or any better way to achieve this.


Thank you

V

azure-ad-connectadfs
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

vipulsparsh-MSFT avatar image
1 Vote"
vipulsparsh-MSFT answered vipulsparsh-MSFT commented

@VenugopalB-9267 Thanks for reaching out. Please find the answers inline.

1) .What would happen to the existing users in Azure federated domain, would there be a clean up automatically done? ex, users synced are 20k, but users with attribute are just 3k.

VS : There are 2 level of filtering which you can do to achieve your Goal.
a) OU level filtering : You can create a separate OU for all those 3k users which will have the Department attribute filled. And select only this OU for sync scope, this way these 3k users will still sync up but rest all will get deleted. And as suggested by Andy, you would need to use https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-prevent-accidental-deletes to be able to delete more objects than 500.

b) Attribute level filtering : You can create a new rule and specify that users with department attribute for eg "Sales" or "IT" should sync up but not anyone else.

25346-syncrule.png



This require a little more work as this needs to be carefully created and at the same time you will have to disable other sync rules which might be syncing the users.
This is also called Positive Filtering and you can read more about it here : https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-
configure-filtering#positive-filtering-only-sync-these

If the suggested response helped you resolve your issue, please do not forget to accept the response as Answer and "Up-Vote" for the answer that helped you for benefit of the community.



syncrule.png (53.5 KiB)
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image vipulsparsh-MSFT ·

@VenugopalB-9267 I wanted to follow up and know if the above response helped in answering your query. If it did, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

0 Votes 0 ·
AndyDavid avatar image
2 Votes"
AndyDavid answered

Yes, the objects in Azure will be deleted if you remove that OU from the sync and the new ones will be added.
However, there is a maximum of 500 deleted objects allowed per sync. If you want AADConnect to delete all 20,000 objects, then follow the article below:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-prevent-accidental-deletes

The default value of 500 objects can be changed with PowerShell using Enable-ADSyncExportDeletionThreshold, which is part of the AD Sync module installed with Azure Active Directory Connect. You should configure this value to fit the size of your organization. Since the sync scheduler runs every 30 minutes, the value is the number of deletes seen within 30 minutes.




5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

VenugopalB-9267 avatar image
0 Votes"
VenugopalB-9267 answered

Thank you anonymous userDavid @vipulsparsh-MSFT : I would choose Positive Filtering

1.We do not have a separate OU for these users.
2. We have only one OU, that contains all the users.

I would update once we are good with the steps.

Thank you for your time and support.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.