This blog post is a combination of old and new features of Azure AD Connect Sync and Azure AD Cloud Sync tools. AAD Connect Sync feature was there already and what’s new is the Sync Client’s feature of preventing accidental deletion.
There can be many reasons for this kind of mishap to take place
- Intentional or accidental deletions
- Changing Azure AD Sync scopes and unchecking OUs that are already syncing
- An OU is renamed so all objects in it are considered to be out of scope for synchronization
What will I be Covering? 👇🏽
- How to Configure Azure AD Connect Sync
- Command to see the current threshold
- Change the threshold as required
- What will happen?
- Check which objects are about to be deleted
- How to Configure Azure AD Cloud Sync
- Rejecting deletions
- Wrapping Up
How to Configure Azure AD Connect Sync
The default value to halt the operation is 500, but this can be changed to a lower number to minimize the risk.
Command to see the current threshold
Run the below command by logging to the Azure AD Connect server
get-ADSyncExportDeletionThreshold
Change the threshold as required
enable-ADSyncExportDeletionThreshold -DeletionThreshold 10
What will happen?
- This will basically stop exporting the deletion change to Azure AD which will remove the users from the directory. Admins can safely reinstate the local AD accounts/ OU scopes and reverse the situation
- Synchronization Service Manager (MIIS.exe) will throw the stopped-deletion-threshold-exceeded status
- This will also send an alert email to the administrator mentioning the issue
Check which objects are about to be deleted
- Start Synchronization Service > Connectors > Azure Active Directory
- Under Actions to the right, select Search Connector Space.
- In the pop-up under Scope, select Disconnected Since and pick a time in the past. Click Search. This page provides a view of all objects about to be deleted. By clicking each item, you can get additional information about the object. You can also click Column Setting to add additional attributes to be visible in the grid.
How to Configure Azure AD Cloud Sync
As of September 2022, this is the most recent announcement from Microsoft as they have now enabled the same in the Azure AD Cloud Sync tool as well.
This needs to be managed through the Azure AD portal itself. If you already have the Cloud Sync tool installed and running,
- Go to the Entra Portal (https://entra.microsoft.com)
- Azure Active Directory > Hybrid Management > Azure AD Connect > Manage Azure AD cloud sync
- Click on the domain under Configuration
Check the section under Settings. Provide the same info with the notification email address, prevent check mark, and the threshold. By default, it’s 500 but as you can see below I have set it to 3.
When the sync runs it will identify the deletion and makes the status as Delete threshold exceeded. You can click the 3 dots next to the status and select View provisioning logs. If you are certain about the deletion, you can select Allow deletions option.
Provisioning Logs will provide you all the details related to the sync, but filter the Actions with StagedDelete
Rejecting deletions
If you do not want to allow the deletions, you need to do the following:
- investigate the source of the deletions
- fix the issue (for example, OU was moved out of scope accidentally and you have now re-added it back to the scope)
- Run Restart sync on the agent configuration
Wrapping Up
While it’s safer to have a smaller number for the threshold, it’s always recommended to enable the AD Recycle Bin and in the case of user deletion, the accounts can be reinstated without much of a hassle.