Entra Connect Sync Soft Delete

Question

Entra Connect Sync Soft Delete

DMC 20

In our environment we are slowly rolling out MS365 and want to utilize entra and the rest of the admin centers. In a previous job I worked every day in ms admin center. However now I am setting up a test environment with pairing our domain to our tenant and setting up entra connect.

I had initially set it up what I thought was successfully in a custom install (not express) but was stumped on the Filter Groups section. I clicked 'all users and devices'. I assumed that meant it would sync the users in the test OU I chose in the OU filter. Nope. It eventually synced everything - my guess was due to syncing all groups and the members, contacts, devices that were part of those groups. I deleted over 500 users in Entra and they showed right back up. I even unable to delete groups.

So, I uninstalled and reinstalled the entra connect. Set it up with a test ou and test group this time. However, all of the users, contacts etc still show in Entra. How long will it take for the wizard to see only the users and group in the scope and soft delete the rest?I have ensured the OU is only chosen in the sync service manager. When I force a resync and check in sync service manager, I'll see XXX number of disconnectors from the cloud connector but nothing in pending deletion.

I feel I'm missing something pretty simple. I've tested password changes in AD and it syncs to Entra and office apps for test users - so that is working. I just want to clean up the Entra so after I clean up AD, I can then sync more OUs and groups. Of our 300 users, only 20 or so will have licenses. the rest will be IDs used for sspr, mfa etc.

Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-04T14:40:12.8466667+00:00

Hello @DMC,

Following up to see if you had the chance to review the suggestion provided by Vasil Michev. And, if you have any further query or questions, please do let us know.
DMC 20 Reputation points

2025-04-04T14:43:24.2633333+00:00

Thanks for the reply, Vasil. In a prod environment, I would most certainly delete/disable objects in AD first, then remove license, delete in Entra. For this test, I was looking to see if Entra would soft delete the objects that were no longer in the sync scope first. I don't want to delete the objects in AD as I need them. So I will delete them in Entra.

If I wanted to re-establish the connection with Groups, not users, would I do another sync all objects in the Group Filtering section of Entra Connect Wizard, let them establish a connection, then remove them from the sync scope and let entra soft delete the groups no longer in scope?

Because right now I am unable to delete the groups in Entra. I don't need all of them up there, but I do need them in AD. Eventually they will be back in Entra but we do all of our assigning of groups in AD. Our environment will be hybrid. Basically, I'm going to slow roll out another test OU to test SSO, sspr, and a few other B2B tenant collab with another org before diving right in. Eventually at the 'group filtering' part of the wizard, it would be all groups.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-04T15:51:57.3666667+00:00

Hello @DMC

For the groups which are still showing up in Entra ID despite not being in current sync scope, Microsoft Entra Connect only deletes objects that it has once considered to be in scope. If there are objects in Microsoft Entra ID that were created by another sync engine and these objects aren't in scope, adding filtering doesn't remove them.

In the current scenario the configuration you started with was a Microsoft Entra connect sync server with 'all users and devices' filtering that created a complete copy of your entire directory in Microsoft Entra ID, and then it was uninstalled and a new Microsoft Entra Connect Sync server was installed with filtering enabled from the beginning, this current Microsoft Entra Connect doesn't remove the extra objects that are created by the previous sync engine as they have never been in scope for the current sync engine. Hence the deletion will not happen automatically by Entra ID.

If complete sync of 'all users and devices' is selected in the re-installed sync server all the objects are synced to Entra ID. Post the sync if you configure the filtering as per your requirement Entra ID would remove the objects not present in current scope.

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-configure-filtering
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-feature-scheduler#full-sync-cycle
DMC 20 Reputation points

2025-04-04T22:23:46.7+00:00

Thank you for the insight @Jyotishree Moharana ! Very beneficial.

I re-ran the Entra Connect Wizard, got to group filtering and selected all users and devices.

Forced a sync. Now waiting to see what happens.

If I am unable to soft delete groups in Entra. (I'm a global admin and group admin). Missing permissions? Opened the sync wizard again, I can no longer choose a group filtering in the wizard as that may have been only allowed the first or second time when setting up a pilot with a test group. However, I'm just hoping the sync reestablishes the connect between the groups in entra and AD.

But just in case I really botched this, is there a way to 'start over' or have a clean slate to re-establish this setup without doing anything to on-prem AD?

I see no errors in the sync cycle or sync service manager. I do still see a lot of disconnectors on the cloud connector operations in the last sync.
DMC 20 Reputation points

2025-04-04T22:44:19.93+00:00

on more thought - I might just sync the entire domain in the OU filtering. force sync. let it run, then go back and choose the couple OUs I want synced for testing. Good idea or no?
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-08T15:46:10.51+00:00

Hello @DMC,

If you want to utilize group based filtering option in AD connect, it is can only be configured on initial installation by using the installation wizard. It's intended for a pilot deployment where you want only a small set of objects to be synchronized. When you've completed your pilot in full production deployment it is recommended to utilize OU-based filtering. This provides the flexibility of syncing the needed OUs are per your requirement. Or you can utilize OU filtering option from beginning itself as per your need without using group based filtering.

Regarding the objects and groups showing in disconnected state and process of removal, I would like to have an offline discussion with you for better understanding. Please share your contact details over private message and your availability for a call.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-10T15:49:26.9+00:00

Hello @DMC,

As discussed, we will be taking the further troubleshooting offline.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-16T12:45:01.1166667+00:00

Hello @DMC,

Following up to see if the above answer was helpful.

If this answers your query, do click **Accept Answer** and Yes for was this answer helpful. And, if you have any further query do let us know.

Accepted answer

1 additional answer

Your answer

Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-04T14:40:12.8466667+00:00

Hello @DMC,

Following up to see if you had the chance to review the suggestion provided by Vasil Michev. And, if you have any further query or questions, please do let us know.
DMC 20 Reputation points

2025-04-04T14:43:24.2633333+00:00

Thanks for the reply, Vasil. In a prod environment, I would most certainly delete/disable objects in AD first, then remove license, delete in Entra. For this test, I was looking to see if Entra would soft delete the objects that were no longer in the sync scope first. I don't want to delete the objects in AD as I need them. So I will delete them in Entra.

If I wanted to re-establish the connection with Groups, not users, would I do another sync all objects in the Group Filtering section of Entra Connect Wizard, let them establish a connection, then remove them from the sync scope and let entra soft delete the groups no longer in scope?

Because right now I am unable to delete the groups in Entra. I don't need all of them up there, but I do need them in AD. Eventually they will be back in Entra but we do all of our assigning of groups in AD. Our environment will be hybrid. Basically, I'm going to slow roll out another test OU to test SSO, sspr, and a few other B2B tenant collab with another org before diving right in. Eventually at the 'group filtering' part of the wizard, it would be all groups.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-04T15:51:57.3666667+00:00

Hello @DMC

For the groups which are still showing up in Entra ID despite not being in current sync scope, Microsoft Entra Connect only deletes objects that it has once considered to be in scope. If there are objects in Microsoft Entra ID that were created by another sync engine and these objects aren't in scope, adding filtering doesn't remove them.

In the current scenario the configuration you started with was a Microsoft Entra connect sync server with 'all users and devices' filtering that created a complete copy of your entire directory in Microsoft Entra ID, and then it was uninstalled and a new Microsoft Entra Connect Sync server was installed with filtering enabled from the beginning, this current Microsoft Entra Connect doesn't remove the extra objects that are created by the previous sync engine as they have never been in scope for the current sync engine. Hence the deletion will not happen automatically by Entra ID.

If complete sync of 'all users and devices' is selected in the re-installed sync server all the objects are synced to Entra ID. Post the sync if you configure the filtering as per your requirement Entra ID would remove the objects not present in current scope.

https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-configure-filtering
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-feature-scheduler#full-sync-cycle
DMC 20 Reputation points

2025-04-04T22:23:46.7+00:00

Thank you for the insight @Jyotishree Moharana ! Very beneficial.

I re-ran the Entra Connect Wizard, got to group filtering and selected all users and devices.

Forced a sync. Now waiting to see what happens.

If I am unable to soft delete groups in Entra. (I'm a global admin and group admin). Missing permissions? Opened the sync wizard again, I can no longer choose a group filtering in the wizard as that may have been only allowed the first or second time when setting up a pilot with a test group. However, I'm just hoping the sync reestablishes the connect between the groups in entra and AD.

But just in case I really botched this, is there a way to 'start over' or have a clean slate to re-establish this setup without doing anything to on-prem AD?

I see no errors in the sync cycle or sync service manager. I do still see a lot of disconnectors on the cloud connector operations in the last sync.
DMC 20 Reputation points

2025-04-04T22:44:19.93+00:00

on more thought - I might just sync the entire domain in the OU filtering. force sync. let it run, then go back and choose the couple OUs I want synced for testing. Good idea or no?
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-08T15:46:10.51+00:00

Hello @DMC,

If you want to utilize group based filtering option in AD connect, it is can only be configured on initial installation by using the installation wizard. It's intended for a pilot deployment where you want only a small set of objects to be synchronized. When you've completed your pilot in full production deployment it is recommended to utilize OU-based filtering. This provides the flexibility of syncing the needed OUs are per your requirement. Or you can utilize OU filtering option from beginning itself as per your need without using group based filtering.

Regarding the objects and groups showing in disconnected state and process of removal, I would like to have an offline discussion with you for better understanding. Please share your contact details over private message and your availability for a call.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-10T15:49:26.9+00:00

Hello @DMC,

As discussed, we will be taking the further troubleshooting offline.
Jyotishree Moharana 1,845 Reputation points Microsoft External Staff Moderator

2025-04-16T12:45:01.1166667+00:00

Hello @DMC,

Following up to see if the above answer was helpful.

If this answers your query, do click **Accept Answer** and Yes for was this answer helpful. And, if you have any further query do let us know.

Answer 1

Hello @DMC,

Thank you for connecting offline for discussing the issue.

Based on your question, currently you want to delete and clean-up your Entra ID of the objects which were previously synced by mistake as well as the objects which were showing in disconnected state.

We have followed the below process:

Disable the directory sync: We followed the document Turn-off-directory-synchronization to disable the sync from on-prem to Entra, once we have executed the PowerShell commands, the objects will turn into cloud only objects and can be managed through Entra ID.
Once we have confirmed that Get-MgOrganization | Select OnPremisesSyncEnabled is false, we deleted the objects from Entra.
We also deleted the objects from Deleted users/group to avoid any soft match after enabling the Directory sync.
Once the complete deletion has been completed, we can re-enable directory sync and configure OU filtering as required.

If you have any further questions or queries, please do let us know.

Answer 2

In scenarios where you are synchronizing from on-premises AD, you should be deleting the objects in your on-premises environment, not directly in Entra. As you've noted above, in the latter scenario objects will just be recovered. After the reinstall, you likely ended up in a scenario where the object's connection to on-premises is broken, i.e. they are now "disconnectors", which means you should be able to delete them directly from the cloud. Just in case, make sure to first force a full sync for a proper cleanup: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-sync-feature-scheduler#full-sync-cycle

Share via

Entra Connect Sync Soft Delete

1 additional answer

Your answer