![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 34%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKY%3C/text%3E%3C/svg%3E)
25,081 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 68%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Hi @Kimberly Yearry,
In addition to the solution provided by @Andy David - MVP ,I would like to provide additional information on the issue.
Few Recommendations:
1.The error you mentioned can occur when an object was converted from a synced user to a cloud-only user, however, the user may not have been deleted properly from the on-prem AD. Is that the case with you? There are two options for resolving this properly.
Option A: Identify the affected object in Azure AD. Confirm if you really want to delete the object. If that's the case, simply use Mg graph PowerShell to permanently delete the object from Azure AD. Run the following commands:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser
Install-Module Microsoft.Graph -Scope CurrentUser -Repository PSGallery -Force
Connect-MgGraph -Scopes "Directory.AccessAsUser.All" and enter your global admin credentials
Get-MgDirectoryDeletedItem -All | Where-Object {$_.UserPrincipalName -eq "user@example.com"}
Remove-MgDirectoryDeletedItem -DirectoryObjectId <ObjectId>
Trigger a delta sync by running the cmdlet: "Start-ADSyncSyncCycle -PolicyType Delta"
Here is the referenced document for removing user using Microsoft graph PowerShell: Remove-MgUser
Option B: If the object has been deleted in Active Directory but you want to keep the "Cloud-Only" object in AAD, simply use PowerShell to clear the SourceAnchor / ImmutableID from the object. Run the cmdlet:
Connect-MgGraph -Scopes "User.ReadWrite.All", "Directory.AccessAsUser.All"
Update-MgUser -UserId "******@contoso.com" -OnPremisesImmutableId "$null"
Trigger Delta sync: "Start-ADSyncSyncCycle -PolicyType Delta"
Here is the Microsoft document used as reference: Update-MgUser.
2.If the error appears on the Export step to the AAD connector on Azure AD Connect: This is likely caused by the account being restored after being deleted by the Azure AD Connect service, before it could confirm the account was deleted. In this case, delete the cloud object and restore it after Azure Ad Connect has synced and confirm the deletion.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".
