This is a hidden gem for Azure AD Sync connect configurations and I was looking for a feature like this for sometime now. Noticed this was available while trying to perform a migration of the tool to anew server and when reviewing the new confit before commuting.
There can be many reasons for this kind of a mishap to take place
- Intentional or accidental deletions
- Changing Azure AD Sync scopes and unchecking OUs that are already syncing
- An OU is renamed so all objects in it are considered to be out of scope for synchronization
Default value to halt the operation is 500, but this can be changed to a lower number to minimize the risk.
Command to see the current threshold
Change the threshold as required
enable-ADSyncExportDeletionThreshold -DeletionThreshold 10
What will happen?
- This will basically stop exporting the deletion change to the Office 365 that will remove the users in Office 365. Admins can safely reinstate the local AD accounts/ OU scopes and reverse the situation
- Synchronization Service Manager (MIIS.exe) will throw the stopped-deletion-threshold-exceeded status
- This will also send an alert email to the administrator mentioning the issue
Check which objects are about to be deleted
- Start Synchronization Service > Connectors > Azure Active Directory
- Under Actions to the right, select Search Connector Space.
- In the pop-up under Scope, select Disconnected Since and pick a time in the past. Click Search. This page provides a view of all objects about to be deleted. By clicking each item, you can get additional information about the object. You can also click Column Setting to add additional attributes to be visible in the grid.
While it’s safer to have a smaller number for the threshold, it’s always recommended to enable the AD Recycle Bin and in a case of user deletion the accounts can be reinstated without much of a hassle.
feature image: Vector image by VectorStock / vectorstock