Cool and a Powerful feature to stop bulk accidental/ intentional deletion exports in an Azure AD Hybrid Environment

This is a hidden gem for Azure AD Sync connect configurations and I was looking for a feature like this for sometime now. Noticed this was available while trying to perform a migration of the tool to anew server and when reviewing the new confit before commuting.

There can be many reasons for this kind of a mishap to take place

  • Intentional or accidental deletions
  • Changing Azure AD Sync scopes and unchecking OUs that are already syncing
  • An OU is renamed so all objects in it are considered to be out of scope for synchronization

Default value to halt the operation is 500, but this can be changed to a lower number to minimize the risk.

Command to see the current threshold

get-ADSyncExportDeletionThreshold

This image has an empty alt attribute; its file name is image.png

Change the threshold as required

enable-ADSyncExportDeletionThreshold -DeletionThreshold 10

What will happen?

  • This will basically stop exporting the deletion change to the Office 365 that will remove the users in Office 365. Admins can safely reinstate the local AD accounts/ OU scopes and reverse the situation
  • Synchronization Service Manager (MIIS.exe) will throw the stopped-deletion-threshold-exceeded status
Prevent Accidental deletes Sync Service Manager UI

  • This will also send an alert email to the administrator mentioning the issue

Check which objects are about to be deleted

  1. Start Synchronization Service > Connectors > Azure Active Directory
  2. Under Actions to the right, select Search Connector Space.
  3. In the pop-up under Scope, select Disconnected Since and pick a time in the past. Click Search. This page provides a view of all objects about to be deleted. By clicking each item, you can get additional information about the object. You can also click Column Setting to add additional attributes to be visible in the grid.
Search Connector Space

Additional notes

While it’s safer to have a smaller number for the threshold, it’s always recommended to enable the AD Recycle Bin and in a case of user deletion the accounts can be reinstated without much of a hassle.

feature image: Vector image by VectorStock / vectorstock

Discover more from EMS Route

Subscribe to get the latest posts to your email.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.