synched too many AD objects

Shamik Ghosh 21 Reputation points
2020-03-17T16:29:58.227+00:00

We had a problem where the AD Sync connector was not synchronising any new AD objects past a certain date, and previously it was set up to only sync from a certain OU. I know little about Azure AD but was asked to troubleshoot, and guessed that the reason the connector wasn't working was because there were no domain partitions selected, nor were any of the run configurations filled with any steps, it appeared somehow this config was lost. So I have reselected the domain partition on the local adsync connector, and populated the run configurations with the necessary steps, and now it appears too many AD objects have synched to Azure AD. The issue I have is that the service account used for the adsync, we have lost the password for it, so will need to reset it first in order to filter by OU, but if we do that, will the excessive objects in Azure AD automatically get removed or will they remain? If they remain, how can they be removed from Azure AD (because we want only objects from one OU being synched to the cloud) but left to remain on our on prem AD?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,806 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Vasil Michev 96,836 Reputation points MVP
    2020-03-17T17:08:02.11+00:00

    If you apply any sort of filter, either by OU/domain or by using rules, the corresponding objects will be removed from Azure AD.

    0 comments No comments

  2. Jan Ketil Skanke 96 Reputation points MVP
    2020-03-17T19:14:03.31+00:00

    Hi, first of, you do not need the password for the sync account in Azure AD to change your sync scope. The only thing you need is to re-run the wizard and change your scope settings again in the wizard. That is the easiest way to change this. If you go in through the sync enginge, you can actually use any account with permissions in AD to change the settings, it will not replace the service account actually being used for sync. In fact if you allowed AAD Connect to create the service account on your behalf, you would never know the password of this account at all.

    Secondly, you must be aware that there is a fail-safe implemented in AAD Connect (prevent accidential delete) . So if the scope change deletes more than 500 items, it will halt and you need to go into powershell to temporariliy disable the failsafe using the cmdlet Enable-ADSyncExportDeletionThreshold

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-prevent-accidental-deletes

    Hope this helps.

    0 comments No comments