Deleted Object On Premise is still showing a synced Cloud Object


Hello All,

 

I have seen a few cases recent about objects that were deleted on premise, however the objects in O365 were not deleted. I have noticed that this is most common for groups, such as distribution groups or security groups. When groups are deleted from On premise, the update is not replicated via AAD Connect. It is as if AAD Connect does not pick up the change to the object on premise, therefore does not try to sync the changes to O365. I am still investigating as to why this is the cause, however I wanted to write up a quick resolution for the general public. To resolve this issue, and clear out the orphaned object, I found that the easiest resolution is to clear out the metaverse information for the objects and run a full sync. In most cases running a full sync should resolve your issues, however you can follow the steps below to completely clear the metaverse information and resync all objects. These steps are not impactful to the user, nevertheless it may take a while for the sync to complete. My recommendation is to run the following steps at the end of the business day, and allow the sync to run by itself.

 

  1. Open AAD Connect and select the Connectors.
  2. Right-Click on your Windows Azure Active Directory Connector and select Delete.
  3. Delete the connector space ONLY from the specific connector.
  4. Next perform step 2-3 on for the on premise connector.
  5. Finally, run a full sync to resync all O365 user objects. This may take anywhere from a few minutes to a few hours depending on how many objects you are syncing. Less than 10k objects, should finish syncing in about 15 minutes. Over 100k objects may take up to 2 hours or longer, nonetheless user accounts will not be impacted during the sync.
    1. Start-ADSyncSyncCycle -policytype Initial
  6. Once the full sync is complete you can perform a user lookup to see if the object is still in the cloud.  In Powershell connected to O365, you can run either of the following cmdlets, depending on if a user is in a group or not.
    1. Get-msoluser -searchstring [alias]
    2. Get-msolgroup -searchstring [alias]
    3. Get-msolcontact -searchstring [alias]

 

     

       

      Delete Connector

      Comments (1)

      1. turbomcp says:

        Thanks

      Skip to main content