DeletingCloudOnlyObjectNotAllowed

Hoai Tran 26 Reputation points
2022-06-27T20:43:03.193+00:00

Hello,

I received this error "DeletingCloudOnlyObjectNotAllowed" multiple times a day. I'm not sure how to resolve it. I've been looking all over the places but still can't find the solution. Our on-premise Active Directory syncs with Azure AD. Please help!

Thank you,

Azure CycleCloud
Azure CycleCloud
A Microsoft tool for creating, managing, operating, and optimizing high-performance computing (HPC) and big compute clusters in Azure.
59 questions
Accepted answer
  1. KarishmaTiwari-MSFT 18,367 Reputation points Microsoft Employee
    2022-06-28T00:47:22.213+00:00

    @Hoai Tran

    Thanks for posting your query on Microsoft Q&A.
    Can you please share your complete scenario to help us understand your query better. For e,g. when are you seeing this error?
    Also, which Azure services/products it is related to?
    You have added Azure cyclecloud tag, wanted to confirm if this issue is related to Azure cyclecloud in any way?

    Few Recommendations:

    1.The error you mentioned can occur when an object was converted from a synced user to a cloud-only user, however, the user may not have been deleted properly from the on-prem AD. Is that the case with you? There are two options for resolving this properly.

    Option a:
    Identify the affected object in Azure AD. Confirm if you really want to delete the object. If that's the case, simply use PowerShell to permanently delete the object from Azure AD.
    Run the cmdlet : "Connect-MsolService" and enter your global admin credentials
    Next, run : "Remove-MsolUser -ObjectId "<user's object ID>" -RemoveFromRecycleBin"
    Trigger a delta sync by running the cmdlet : "Start-ADSyncSyncCycle -PolicyType Delta"

    Option b:
    If the object has been deleted in Active Directory but you want to keep the "Cloud-Only" object in AAD, simply use PowerShell to clear the SourceAnchor / ImmutableID from the object.
    Run the cmdlet: "Connect-MsolService" and enter your global admin credentials
    Next, run : 'Set-MsolUser -ObjectId '<user's object ID>' -ImmutableId "$null"'
    Trigger a delta sync by running the cmdlet : "Start-ADSyncSyncCycle -PolicyType Delta"

    2.If the error appears on the Export step to the AAD connector on Azure AD Connect:
    This is likely caused by the account being restored after being deleted by the Azure AD Connect service, before it could confirm the account was deleted. In this case, delete the cloud object and restore it after Azure Ad Connect has synced and confirm the deletion.

    7 people found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex Wells 16 Reputation points
    2022-08-09T12:58:56.143+00:00

    Open Azure AD connect server.
    open PowerShell as Admin
    run
    set-adsyncscheduler -synccycleenabled $false

    to stop the sync cycle.

    Go to connectors

    right click on the AD connector => delete
    choose delete connector space only => OK

    then right click on the Azure connector and do the same.

    then in powershell
    run
    set-adsyncscheduler -synccycleenabled $true

    then go to services and restart the Microsoft azure service

    then in powershell run
    Start-ADSyncSyncCycle -PolicyType initial

    then it will be fixed.

    3 people found this answer helpful.
  2. Hoai Tran 26 Reputation points
    2022-06-28T21:19:56.657+00:00

    Hello,

    Thanks for getting back to me. I was able to resolved the issue by deleting the users on Azure AD. I was able to identify the user via the Azure AD Synchronization Service Manager.

    Regards,
    Hoai

  3. harish kumar 0 Reputation points
    2024-04-02T18:06:06.3266667+00:00
    0 comments