Azure AD Connect Remove One User from Sync But Not From Azure

rr-4098 1,461 Reputation points
2023-08-03T17:52:29.63+00:00

What is the proper way to remove one user from syncing with Azure? I tried removing their immutable ID , waited 45 minutes and still found the id still present. When I moved the user out of the onprem sync OU, it removed it from Azure which is not what we want.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,358 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sandeep G-MSFT 18,691 Reputation points Microsoft Employee
    2023-08-07T08:48:09.98+00:00

    @rr-4098

    This can be performed in 2 different ways. One way is to move the user in on-premises AD to non-sync OU and run sync on AD connect.

    This method will move user in Azure AD to deleted container.

    Another method is using sync rules you can perform this task.

    Follow below steps to create sync rule and apply only to this user using object ID,

    To stop Azure AD Connect from syncing one user to Azure, you can use attribute filtering. Here are the steps to exclude a user from syncing to Azure**:**

    1. Sign in to the server that is running Azure AD Connect sync by using an account that is a member of the ADSyncAdmins security group.
    2. Start Synchronization Rules Editor from the Start menu.
    3. Make sure Inbound is selected and click Add New Rule.
    4. Give the rule a descriptive name, such as "Exclude User from Sync". Select the correct forest, select User as the CS object type, and select Person as the MV object type. In Link Type, select Join. In Precedence, type a value that isn't currently used by another synchronization rule (for example 50), and then click Next.
    5. In Scoping filter, click Add Group, and click "Add clause". In Attribute, select ObjectGUID. Make sure that Operator is set to NOT EQUAL, and type the ObjectGUID of the user you want to exclude in the Value box. Click Next.
    6. Leave the Join rules empty, and then click Next.
    7. Click Add to save the rule.

    This rule will exclude the specified user from syncing to Azure. Please note that it may take some time for the changes to take effect.

    NOTE: Make sure you test this in your test environment first before implementing this in PROD environment.

    Let me know if you have any further questions.

    Please "[Accept the answer] (https://docs.microsoft.com/answers/support/accepted-answers)" if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.