Tag: Azure AD Connect

How To Remove Orphaned “Synced” Users/Groups From Azure AD

In this post, I will explain how to remove users or groups from Azure AD that were synchronized into Azure AD (your tenant) but are left behind after removing Azure AD Connect – typically this is a lab scenario.

Production Environment

Almost every search result you will find discusses this scenario, where you want to remove users/groups from Azure AD without removing Azure AD Connect. The solution is pretty simple:

  1. Create an OU(s) in the “on-premises” using Active Directory (Azure AD Users & Groups). This OU will be used to store objects that won’t be synchronized to Azure AD.
  2. Modify the sync configuration of Azure AD Connect to sync only required OUs – exempt your new OU(s).
  3. Move the unwanted objects to the new OU(s).
  4. Wait for the next Azure AD Connect sync cycle (every 30 minutes by default), or force it yourself.

The users/groups in the exempted OU(s) will automatically be removed from Azure AD.

But what about orphaned objects when Azure AD Connect has already been uninstalled/disconnected?

Removing Orphaned Synced Users/Groups

You are going to need Azure AD PowerShell to make this work. I tried it using the v1 cmdlets, it worked, and I haven’t tried the v2 cmdlets, which might also work. Basically, you cannot do this in the Azure Portal, but you can do it using Azure AD PowerShell.

First I signed into Azure AD using a tenant administrator (global admin):

Connect-MsolService

Then I queried my groups:

Get-MsolGroup

I removed the unwanted groups one at a time:

Get-MsolGroup -SearchString "DisplayNameOfGroup" | Remove-MsolGroup

I confirmed deletion using PowerShell – note that the Azure Portal will take a few minutes to realise that the groups were removed!

Get-MsolGroup

My example is done using groups, but the user version of the cmdlets should work too.

Remove-MsolUser -UserPrincipalName <userprincipalname>

Did you Find This Post Useful?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in London on July 5-6, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.

Disable Already Removed Azure AD Connect

It’s possible that someone removes your Azure AD Connect server(s), and you then want to remove Azure AD Connect synchronisation from Azure AD. However, the Azure Portal does not give you that option to remove synchronisation. To get around this, you can use Azure AD PowerShell. In my example, I used the v1 cmdlets, but it’s also possible that the v2 cmdlets will work too.

I logged into Azure AD:

Connect-MsolService

Then I checked the current configuration:

Get-MsolDirSyncConfiguration

I disabled Azure AD Connect synchronisation:

Set-MsolDirSyncEnabled –EnableDirSync $false

I then checked my work:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

Straight over to the Azure Portal (Azure Active Directory > Azure AD Connect), and I verified that synchronisation was disabled:

image

Did you Find This Post Useful?

If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in London on July 5-6, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here.