AD sync with AAD grabbed all my users in my on-premise AD by mistake
Setting up you Azure Active Directory, make you synchronize all you accounts into AAD. There are several ways you can filter the list of account you want to sync
The easy way is to have a top OU in you Active Directory, and the only sync from this OU.
So I did, and forgot I had a whole list of service accounts under this OU as well
So now i want to clean up!
OK so I moved these away from the OU, but unfortunately the AAD sync did not see those as deleted, hence removing the from AAD, as they were in fact not deleted.
To clean up you AAD you can do the following
- Login to the machine that has the AAD sync running
- Login as the AD account that is tied into your Azure Sync
- Open the Azure Active Directory module for PowerShell
- Execute the following “Connect-MsolService”
- You will now be prompted for an account, this account should be the administrator account in AAD that is “Sourced From” Microsoft Azure Active Directory, NOT The on premise account
- In My Case
- Display Name: AXVAdmin
- Username: AXVAdmin@……onmicrosoft.com
- Sourced From: Microsoft Azure Active Directory
- This should connect you to Azure
- Then execute the following “Remove-MsolUser –ObjectId xxxxxxxxxxxxxxxxxxxxx
- The ObjectId you can find under the User Profile
- This will remove the user and hence the user in AD is not in a OU that is synchronies you have successfully cleaned up
Things to watch
When I do these operations, I always logon to the machine as the administrator account that was original the account that is set to sync between AD and AAD. I seems that some problems just disappear as this account always has the correct access to communicate