Disabled AD Azure Connect, but users are missing from groups Hi,

Question

Disabled AD Azure Connect, but users are missing from groups Hi,

Nick Loenders 51

Hi,

I disabled the sync in my tenant using : Set-MsolDirSyncEnabled -EnableDirSync $false

The status is disabled and the groups are shown as Cloud source now. All good so far, but there are no users in the groups anymore?

Is this normal or what should I do for this?

Accepted answer

1 additional answer

Your answer

Answer 1

@Nick Loenders

Thank you for your time on the call yesterday.

As per our troubleshooting that we did in our call, we found that users are part of AAD. But these users are not part of any of the groups. We found that these users were created directly in AAD.

We moved one of the users from on-premise to a different OU and made that OU as part of sync scope in AD connect. We enabled the sync for tenant and initiated sync. We found that this selected user got merged successfully with AAD user object and also got added to the required groups as it was in on-premises.

As discussed, you have to move all the users to one OU in on-premises and make that OU as part of sync scope in AD connect. Once you run the initial sync in AD connect, all users from on-premises OU will get merged with AAD user objects.
Also, all these users will get added to required groups, same as there groups membership in on-premises.

You can use below command to initiate sync in AD connect,
Start-ADSyncSyncCycle -PolicyType Initial

We also discussed another approach to fix this. You can leave on-premises environment aside and you can make all user objects in AAD as part of groups by manually adding them to their specific groups directly in AAD.

Let us know if you have any further questions on this.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Nick Loenders 51 Reputation points

2022-12-22T12:02:10.953+00:00

I did it a little bit different. I move all disabled users away from the OU's and then synced the top-OU.
Only strange thing was that some (10 out of 300) users were added to AAD with a different primary username.
So I had to delete those from AAD and add the correct AAD user to the securitygroups.

Answer 2

Givary-MSFT 35,626 Microsoft Employee Moderator

@Nick Loenders Thank you for reaching out to us, As I understand you disabled dirsync (directory synchronization with Azure AD) during this process, groups are showing as cloud only, where as group membership is missing.

Ideally this should not happen, would like to start investigating this issue by looking at the users status within Azure AD, do the users exist in Azure AD. You can verify this by going to Home - Azure AD Users Blade or you can use the filter as mentioned in the screenshot to filter users based on sync enabled.

Also i see there could be one possibility (assumption) someone might have unchecked the OU ( where users were located ) in AD Connect configuration which might have triggered the deletion of the user accounts from Azure AD.

Let me know if you have further questions, feel free to post back, if required we can connect offline as well to troubleshoot further.

Nick Loenders 51 Reputation points

2022-12-21T09:37:15.303+00:00

In Azure AD:

In the local Active Directory:

About : "Also i see there could be one possibility (assumption) someone might have unchecked the OU ( where users were located ) in AD Connect configuration which might have triggered the deletion of the user accounts from Azure AD."

Where can I check this then?

BR
Nick
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2022-12-21T09:43:05.603+00:00

@Nick Loenders You can review the Azure AD Audit logs for Group/User change related information, which will give the direction regarding this issue, else send me an email to the above contact details which i shared.

Share via

Disabled AD Azure Connect, but users are missing from groups Hi,

1 additional answer

Your answer