{"id":21171,"date":"2018-06-01T13:36:00","date_gmt":"2018-06-01T12:36:00","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=21171"},"modified":"2018-05-30T13:58:46","modified_gmt":"2018-05-30T12:58:46","slug":"how-to-remove-orphaned-synced-users-groups-from-azure-ad","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=21171","title":{"rendered":"How To Remove Orphaned “Synced” Users\/Groups From Azure AD"},"content":{"rendered":"

In this post, I will explain how to remove users or groups from Azure AD that were synchronized into Azure AD (your tenant) but are left behind after removing Azure AD Connect \u2013 typically this is a lab scenario.<\/p>\n

Production Environment<\/h2>\n

Almost every search result you will find discusses this scenario, where you want to remove users\/groups from Azure AD without removing Azure AD Connect. The solution is pretty simple:<\/p>\n

    \n
  1. Create an OU(s) in the \u201con-premises\u201d using Active Directory (Azure AD Users & Groups). This OU will be used to store objects that won\u2019t be synchronized to Azure AD.<\/li>\n
  2. Modify the sync configuration of Azure AD Connect to sync only required OUs \u2013 exempt your new OU(s).<\/li>\n
  3. Move the unwanted objects to the new OU(s).<\/li>\n
  4. Wait for the next Azure AD Connect sync cycle (every 30 minutes by default), or force it yourself.<\/li>\n<\/ol>\n

    The users\/groups in the exempted OU(s) will automatically be removed from Azure AD.<\/p>\n

    But what about orphaned objects when Azure AD Connect has already been uninstalled\/disconnected?<\/p>\n

    Removing Orphaned Synced Users\/Groups<\/h2>\n

    You are going to need Azure AD PowerShell to make this work. I tried it using the v1 cmdlets, it worked, and I haven\u2019t tried the v2 cmdlets, which might also work. Basically, you cannot do this in the Azure Portal, but you can do it using Azure AD PowerShell.<\/p>\n

    First I signed into Azure AD using a tenant administrator (global admin):<\/p>\n

    Connect-MsolService<\/pre>\n
    Then I queried my groups:<\/p>\n
    Get-MsolGroup<\/pre>\n
    I removed the unwanted groups one at a time:<\/p>\n
    Get-MsolGroup -SearchString \"DisplayNameOfGroup\" | Remove-MsolGroup<\/pre>\n
    I confirmed deletion using PowerShell \u2013 note that the Azure Portal will take a few minutes to realise that the groups were removed!<\/p>\n
    Get-MsolGroup<\/pre>\n
    My example is done using groups, but the user version of the cmdlets should work too.<\/p>\n
    Remove-MsolUser -UserPrincipalName <userprincipalname><\/pre>\n
    Did you Find This Post Useful?<\/h2>\n
    If you found this information useful, then imagine what 2 days of training might mean to you. I’m delivering a 2-day course in London on July 5-6, teaching newbies and experienced Azure admins about Azure Infrastructure. There’ll be lots of in-depth information, covering the foundations, best practices, troubleshooting, and advanced configurations. You can learn more here<\/a>.<\/p>\n
    \"\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    In this post, I will explain how to remove users or groups from Azure AD that were synchronized into Azure AD (your tenant) but are left behind after removing Azure AD Connect \u2013 typically this is a lab scenario. Production Environment Almost every search result you will find discusses this scenario, where you want to … Continue reading “How To Remove Orphaned “Synced” Users\/Groups From Azure AD”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":18440,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[5],"tags":[155,274],"class_list":["post-21171","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","tag-azure-ad","tag-azure-ad-connect"],"aioseo_notices":[],"jetpack_featured_media_url":"https:\/\/aidanfinn.com\/wp-content\/uploads\/2015\/06\/AzureADCloudSun.png","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=21171"}],"version-history":[{"count":3,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21171\/revisions"}],"predecessor-version":[{"id":21179,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/21171\/revisions\/21179"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/media\/18440"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=21171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=21171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=21171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}