This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I'm working with an organization that hastily setup Azure AD Connect to sync to Azure AD by setting the sync options to sync the entire domain from the ROOT level so now all objects are being synchronized up to Azure AD.
We need to clean out irrelevant objects from Azure AD and sync only scoped OUs moving forward.
Am I correct in understanding the easiest way to clean up the Azure AD objects is to simply reconfigure the Azure AD Connect sync settings to sync only specified on-prem OUs and then run a new "initial sync" job?
My concern which I seek confirmation / clarification on is what will be the actual cleansing effect of a new "initial sync" AD connect job on the current Azure AD Objects?
will it...
or will it...
The reason I need to know is there are products and licenses assigned in Azure AD which I need to ensure remain with the Azure AD users. If an initial sync process will delete and replace the objects on the Azure AD I will have to re-assign all the licenses which is a problem!
Or the short version of my long question above is how do I change Azure AD Connect sync scoped OUs and cleanse out only out of scope users while syncing only in scope users moving forward?
it will:
however, be aware of:
When installing Azure AD Connect, prevent accidental deletes is enabled by default and configured to not allow an export with more than 500 deletes. This feature is designed to protect you from accidental configuration changes and changes to your on-premises directory that would affect many users and other objects.
Thanks Andy,
One last clarification please...we need to change some users OU locations during this work...
Will the Azure AD users and their Azure AD attributes (like products and licenses assigned) remain intact as they are after the new "initial sync" job is run if we change a user's on-prem OU?
My understanding is the "immutable ID" will ensure the Azure AD object will remain bound and stay behind as is so long as the user's new OU location is scoped in the Azure AD connector changes correct?
Correct. As long as the OU syncs with Azure, the objects themselves will as well and their properties will remain intact.