Disabled Dirsync and re-enable with Set-MsolDirSyncEnabled

Question

hello,

We are syncing from onpremises AD the accounts with ADCONNECT and password ash ync.

I have some orphaned objectos in Azure AD. Last Thursday at around 12:30 PM I disabled dirsync with cmdlel "Set-MsolDirSyncEnabled -EnableDirsync $false " to be able to remove the objectos, and then re-enable it.

Now I doubt if this was a good idea....

• First point is that it is still in "PendingDisable" state, I know it can take up to 72 hours, but still...
• Secondly, now I am not so sure what will happend with accounts, for what I had read previously in order for accounts to vonvert to cloud only it is necessary to change immutableID to $null, but is this still a thing or will all accounts be converted to CloudOnly after the change completes? If that is so, when I enable it back, will the accounts happily sync again or will I get duplicate accounts for everyone?

Answer 1

Here you can find more info regarding the pendingdisable.

https://learn.microsoft.com/en-us/answers/questions/26721/adconnect-reinstallation-problem.html

Answer 2

The connection between on premise and cloud account is based on two attributes

• Hard match Where AD UPN + ObjectGUID/msds-consistencyGUID == AAD UPN + ImmutableID(SourceAnchor)
• Soft Match Where AD UPN +proxyAddress = AAD UPN + proxyAddress

What I understand from your description, that you have broken the hard match. In this case, soft match must work and AAD should not create duplicate accounts. You mentioned that you have some orphan objects in AAD and you did to remove orphan objects.

Did you try steps mentioned here - https://support.microsoft.com/en-us/help/2709902/object-deletions-aren-t-synchronized-to-azure-ad-when-using-the-azure

Answer 3

Thanks mate. O365 support executed a diagnostic that fixed the issue. As soon as they did that objects started converting to cloud only. Then I could delete de orphaned object, enable sync again and all objects switched back to windows ad.