Recently I had one of these head scratching moments…. We were connecting an on-premises Active Directory (approx. 80,000 objects) to Office 365 using Azure AD Connect. We had a list of OU’s that was supposed to be synchronized with Office 365 and after running the Azure AD Connect wizard all objects in the corresponding OU’s were synchronized to Office 365.
The next day we got feedback from the organization the wrong OU’s were synchronized and that we had to select different OU’s (we configured the OU’s correctly, but the list we got was not correct).
When you deselect an OU in the Synchronization Service Manager (miisclient.exe in the C:\Program Files\Microsoft Azure AD Sync\UIShell directory as shown in the following screenshot) you would expect that all objects in this OU are no longer synchronized and would disappear in Office 365.
However, nothing was deleted in the Microsoft Online Portal, and all users continued to exist. Forcing synchronization did not help, not an initial sync (i.e. full sync) or even a reboot of the Azure AD Connect server did not help.
While clicking, trying and looking at the Synchronization Service Manager I suddenly noticed the stopped-deleted-threshold-exceeded status warning appear:
It turns out that there’s a threshold of 500 object when deleted (lots of) objects. And this is what happens in my scenario. The OU’s that we deselected contained over 600 user objects, so Azure AD Sync exceeded the threshold and did not delete the users in Office 365.
The reason for this is to prevent ‘accidental deletions’ where OU’s are deselected unintendedly, resulting in lots of users being deleted in Office 365.
You can remove the threshold in PowerShell using the Disable-ADSyncExportDeletionThreshold command. When requested enter the tenant administrator credentials.
Now when the threshold has been disabled you can force a full synchronization using PowerShell (Start-ADSyncSyncCycle -PolicyType Initial) and watch the results:
When the Sync has finished and all users are deleted in Office 365 you should enable the threshold using the following command:
Enable-ADSyncExportDeletionThreshold -DeletionTreshold 500
Note. Don’t forget this last step to prevent any future accidental deletions!