How to Configure Azure AD Connect Sync and Cloud Sync Tools to Prevent Accidental Object Deletions

This blog post is a combination of old and new features of Azure AD Connect Sync and Azure AD Cloud Sync tools. AAD Connect Sync feature was there already and what’s new is the Sync Client’s feature of preventing accidental deletion.

There can be many reasons for this kind of mishap to take place

  • Intentional or accidental deletions
  • Changing Azure AD Sync scopes and unchecking OUs that are already syncing
  • An OU is renamed so all objects in it are considered to be out of scope for synchronization

What I will be Covering? 👇🏽

  1. How to Configure Azure AD Connect Sync
    1. Command to see the current threshold
    2. Change the threshold as required
    3. What will happen?
    4. Check which objects are about to be deleted
  2. How to Configure Azure AD Cloud Sync
    1. Rejecting deletions
  3. Wrapping Up

How to Configure Azure AD Connect Sync

The default value to halt the operation is 500, but this can be changed to a lower number to minimize the risk.

Command to see the current threshold

Run the below command by logging to the Azure AD Connect server

get-ADSyncExportDeletionThreshold

This image has an empty alt attribute; its file name is image.png

Change the threshold as required

enable-ADSyncExportDeletionThreshold -DeletionThreshold 10

What will happen?

  • This will basically stop exporting the deletion change to Azure AD which will remove the users from the directory. Admins can safely reinstate the local AD accounts/ OU scopes and reverse the situation
  • Synchronization Service Manager (MIIS.exe) will throw the stopped-deletion-threshold-exceeded status
Prevent Accidental deletes Sync Service Manager UI
  • This will also send an alert email to the administrator mentioning the issue

Check which objects are about to be deleted

  • Start Synchronization Service > Connectors > Azure Active Directory
  • Under Actions to the right, select Search Connector Space.
  • In the pop-up under Scope, select Disconnected Since and pick a time in the past. Click Search. This page provides a view of all objects about to be deleted. By clicking each item, you can get additional information about the object. You can also click Column Setting to add additional attributes to be visible in the grid.
Search Connector Space

How to Configure Azure AD Cloud Sync

As of September 2022, this is the most recent announcement from Microsoft as they have now enabled the same in the Azure AD Cloud Sync tool as well.

This needs to be managed through the Azure AD portal itself. If you already have the Cloud Sync tool installed and running,

  • Go to the Entra Portal (https://entra.microsoft.com)
  • Azure Active Directory > Hybrid Management > Azure AD Connect > Manage Azure AD cloud sync
  • Click on the domain under Configuration

Check the section under Settings. Provide the same info with the notification email address, prevent check mark, and the threshold. By default, it’s 500 but as you can see below I have set it to 3.

When the sync runs it will identify the deletion and makes the status as Delete threshold exceeded. You can click the 3 dots next to the status and select View provisioning logs. If you are certain about the deletion, you can select Allow deletions option.

Provisioning Logs will provide you all the details related to the sync, but filter the Actions with StagedDelete

Rejecting deletions

If you do not want to allow the deletions, you need to do the following:

  • investigate the source of the deletions
  • fix the issue (for example, OU was moved out of scope accidentally and you have now re-added it back to the scope)
  • Run Restart sync on the agent configuration

Wrapping Up

While it’s safer to have a smaller number for the threshold, it’s always recommended to enable the AD Recycle Bin and in the case of user deletion, the accounts can be reinstated without much of a hassle.

One thought on “How to Configure Azure AD Connect Sync and Cloud Sync Tools to Prevent Accidental Object Deletions

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.