Deletion threshold in Office 365 or Azure AD Connect

image

Recently I had one of these head scratching moments…. We were connecting an on-premises Active Directory (approx. 80,000 objects) to Office 365 using Azure AD Connect. We had a list of OU’s that was supposed to be synchronized with Office 365 and after running the Azure AD Connect wizard all objects in the corresponding OU’s were synchronized to Office 365.

The next day we got feedback from the organization the wrong OU’s were synchronized and that we had to select different OU’s (we configured the OU’s correctly, but the list we got was not correct).

When you deselect an OU in the Synchronization Service Manager (miisclient.exe in the C:\Program Files\Microsoft Azure AD Sync\UIShell directory as shown in the following screenshot) you would expect that all objects in this OU are no longer synchronized and would disappear in Office 365.

clip_image002

However, nothing was deleted in the Microsoft Online Portal, and all users continued to exist. Forcing synchronization did not help, not an initial sync (i.e. full sync) or even a reboot of the Azure AD Connect server did not help.

While clicking, trying and looking at the Synchronization Service Manager I suddenly noticed the stopped-deleted-threshold-exceeded status warning appear:

clip_image004

It turns out that there’s a threshold of 500 object when deleted (lots of) objects. And this is what happens in my scenario. The OU’s that we deselected contained over 600 user objects, so Azure AD Sync exceeded the threshold and did not delete the users in Office 365.

The reason for this is to prevent ‘accidental deletions’ where OU’s are deselected unintendedly, resulting in lots of users being deleted in Office 365.

You can remove the threshold in PowerShell using the Disable-ADSyncExportDeletionThreshold command. When requested enter the tenant administrator credentials.

clip_image006

Now when the threshold has been disabled you can force a full synchronization using PowerShell (Start-ADSyncSyncCycle -PolicyType Initial) and watch the results:

clip_image008

When the Sync has finished and all users are deleted in Office 365 you should enable the threshold using the following command:

Enable-ADSyncExportDeletionThreshold -DeletionTreshold 500

Note. Don’t forget this last step to prevent any future accidental deletions!

3 thoughts on “Deletion threshold in Office 365 or Azure AD Connect”

    1. and this limit is there as well for verified domains, but it’s increased during validation. I’ve seen one customer (MS Premier support customer) that needed to raise even that higher limit 😉

      Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s