How To Remove Orphaned “Synced” Users/Groups From Azure AD

In this post, I will explain how to remove users or groups from Azure AD that were synchronized into Azure AD (your tenant) but are left behind after removing Azure AD Connect – typically this is a lab scenario.

Production Environment

Almost every search result you will find discusses this scenario, where you want to remove users/groups from Azure AD without removing Azure AD Connect. The solution is pretty simple:

  1. Create an OU(s) in the “on-premises” using Active Directory (Azure AD Users & Groups). This OU will be used to store objects that won’t be synchronized to Azure AD.
  2. Modify the sync configuration of Azure AD Connect to sync only required OUs – exempt your new OU(s).
  3. Move the unwanted objects to the new OU(s).
  4. Wait for the next Azure AD Connect sync cycle (every 30 minutes by default), or force it yourself.

The users/groups in the exempted OU(s) will automatically be removed from Azure AD.

But what about orphaned objects when Azure AD Connect has already been uninstalled/disconnected?

Removing Orphaned Synced Users/Groups

You are going to need Azure AD PowerShell to make this work. I tried it using the v1 cmdlets, it worked, and I haven’t tried the v2 cmdlets, which might also work. Basically, you cannot do this in the Azure Portal, but you can do it using Azure AD PowerShell.

First I signed into Azure AD using a tenant administrator (global admin):

Connect-MsolService

Then I queried my groups:

Get-MsolGroup

I removed the unwanted groups one at a time:

Get-MsolGroup -SearchString "DisplayNameOfGroup" | Remove-MsolGroup

I confirmed deletion using PowerShell – note that the Azure Portal will take a few minutes to realise that the groups were removed!

Get-MsolGroup

My example is done using groups, but the user version of the cmdlets should work too.

Remove-MsolUser -UserPrincipalName <userprincipalname>

Did you Find This Post Useful?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in London on July 5-6, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.

One thought on “How To Remove Orphaned “Synced” Users/Groups From Azure AD”

  1. Thanks for the solution, I searched for how to solve this problem for 2 days. It was actually very easy.
    🙂

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.