Share via

Users deleted in on-premises AD can't sync to Azure AD

sato 1 Reputation point
2021-12-02T04:53:42.627+00:00

version information
Windows: 2019
AADC: 2.0.28.0

I deleted a user in my on-premises AD, but it doesn't sync to Azure AD when I perform a delta sync (it doesn't get deleted in Azure AD)

Start-ADSyncSyncCycle

However, when I perform a full sync, it syncs to Azure AD.

Start-ADSyncSyncCycle Initial

Do you know the cause of this?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Danny Zollner 10,801 Reputation points Microsoft Employee Moderator
    2021-12-09T17:34:18.087+00:00

    How are you deleting the user? Are they getting moved to a new OU? Does the on-prem AD connector service account have read access to the new OU that the user object is being moved to?

    What you've described can happen if an object goes from an OU that is visible to the on-prem AD connector service account into one that is not. If the object moves out of sight of the service account (to an OU where the service account does not have read access), the delta import will not return the event of the user being deleted. However, full import will pick this up as full import starts by tagging every object as ready for deletion, and then removing that flag as the object is read from AD - meaning at the end any objects still visible to the service account will have the "delete me" flag removed, but ones that exist in the connector space but are not present in any OUs in AD that the service account can read will be deleted at the end.

    1 person found this answer helpful.
    0 comments
  2. Siva-kumar-selvaraj 15,721 Reputation points
    2021-12-02T10:55:24.18+00:00

    Hello @sato ,

    Thanks for reaching out.

    If you see changes being updated to Azure AD with Full Sync rather than Delta Sync cycle then most probably there could be some updates which are made to the connector space properties of .localAD.com or .onmicrosoft.com domain from Synchronization services console.

    154483-image.png

    For an example, lets say if user might have moved across different OUs and new OU probably added to sync scope through Synchronization services console and meanwhile user account might have deleted so in such scenarios Azure AD connect doesn't aware of changes until Full synchronization initiated manually. To avoid such discrepancies, always recommend to use Azure AD connect wizard to perform any modification or if you continue to use connector space properties then make sure full synch initiated manually just once whenever there is some change.

    Another possibility could be, directory synchronization delta cycle might have stopped due to some exception before it reaches out for that delete operation. If that's not the case, delta sync cycle completed without any exception or errors but still the object wasn't deleted from your cloud service organization then follow typical directory synchronization troubleshooting procedures explained in following articles.

    Troubleshoot an object that is not synchronizing with Azure Active Directory
    Troubleshoot object synchronization with Azure AD Connect sync
    Troubleshooting Errors during synchronization
    Object deletions aren't synchronized to Azure AD when using the Azure Active Directory Sync tool

    I hope this was useful.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.