AD sync with AAD grabbed all my users in my on-premise AD by mistake

19. November 2015

Problem statement

Setting up you Azure Active Directory, make you synchronize all you accounts into AAD. There are several ways you can filter the list of account you want to sync

The easy way is to have a top OU in you Active Directory, and the only sync from this OU.

So I did, and forgot I had a whole list of service accounts under this OU as well

So now i want to clean up!

Root Cause

OK so I moved these away from the OU, but unfortunately the AAD sync did not see those as deleted, hence removing the from AAD, as they were in fact not deleted.

Solution

To clean up you AAD you can do the following

  • Login to the machine that has the AAD sync running
  • Login as the AD account that is tied into your Azure Sync
  • Open the Azure Active Directory module for PowerShell
  • Execute the following “Connect-MsolService”
  • You will now be prompted for an account, this account should be the administrator account in AAD that is “Sourced From” Microsoft Azure Active Directory, NOT The on premise account
  • In My Case
  • This should connect you to Azure
  • Then execute the following “Remove-MsolUser –ObjectId xxxxxxxxxxxxxxxxxxxxx
  • The ObjectId you can find under the User Profile
  • This will remove the user and hence the user in AD is not in a OU that is synchronies you have successfully cleaned up

Things to watch

When I do these operations, I always logon to the machine as the administrator account that was original the account that is set to sync between AD and AAD. I seems that some problems just disappear as this account always has the correct access to communicate

Leave a Reply

Axvice