You can't manage or remove objects that were synced from the on-premises Active Directory Domain Services to Windows Azure AD

Article translations Article translations
Article ID: 2619062 - View products that this article applies to.
Expand all | Collapse all

PROBLEM

Consider the following scenario. You want to manually manage or remove objects that were created through directory synchronization from Windows Azure Active Directory (Windows Azure AD). For example, you want to remove an orphaned user account that was synced to Windows Azure AD from your on-premises Active Directory Domain Services (AD DS). However, you cannot remove the orphaned user account by using the Office 365 portal or by using Windows PowerShell.

CAUSE

This issue may occur if one or more of the following conditions are true:
  • Cause 1: The on-premises AD DS is no longer available. Therefore, you can't manage or delete the object from the on-premises environment.
  • Cause 2: You deleted an object from the on-premises AD DS. However, the object wasn't deleted from your Office 365 organization. This is unexpected behavior.

SOLUTION

For Cause 1: You want to manage objects in Office 365, and you no longer want to use directory synchronization.
  1. Install the Windows Azure Active Directory Module for Windows PowerShell. For more info, go to the following Microsoft website:
  2. Connect to Windows Azure Active Directory (Windows Azure AD) by using Windows PowerShell. For more info about how to do this, go to the following Microsoft website:
    Connect to Windows Azure AD Using Windows PowerShell
  3. Disable directory synchronization. To do this, type the following cmdlet, and then press Enter:
    Set-MsolDirSyncEnabled –EnableDirSync $false
  4. Check that directory synchronization was fully disabled by using the Windows PowerShell. To do this, run the following cmdlet periodically:
    (Get-MSOLCompanyInformation).DirectorySynchronizationEnabled
    This cmdlet will return True or False. Continue to run this cmdlet periodically until it returns False, and then go to the next step.

    Note It may take 72 hours for deactivation to be completed. The time depends on the number of objects that are in your Office 365 subscription account.
  5. Try to update an object by using Windows PowerShell or by using the Office 365 portal.
Note
  • Step 4 may take a while to be completed. There is a process in the Microsoft Office 365 environment that computes attribute values. The process must be completed before the objects can be changed by using Windows PowerShell or by using the Office 365 portal.
For Cause 2: You delete an object from an on-premises AD DS. However, the object isn't deleted from your Office 365 subscription account.

Force directory synchronization by using the steps on the following Microsoft website:
Force directory synchronization
  • If some updates and deletions are propagated, but some deletions aren't synchronized to Office 365, perform typical directory synchronization troubleshooting procedures.
  • If all updates and deletions aren't synchronized to Office 365, contact Office 365 Support.
Note As an alternative resolution for this scenario, an object can be manually deleted in Office 365. However, the object can't be updated in Office 365. For more information about how to resolve this issue, click the following article number to view the article in the Microsoft Knowledge Base:
2709902 Object that's deleted from on-premises Active Directory isn't removed from Microsoft Online Services after directory synchronization

MORE INFORMATION

To re-enable directory synchronization, run the following cmdlet:
Set-MsolDirSyncEnabled -EnableDirSync $true
Warning It is important to plan carefully when you re-enable directory synchronization. If you used the Office 365 portal or Windows PowerShell to make any changes directly to the objects that were originally synchronized from on-premises AD DS, the changes will be overwritten by on-premises attributes and settings the first time that synchronization occurs after directory synchronization is re-enabled.

Still need help? Go to the Office 365 Community website or the Windows Azure Active Directory Forums website.

Properties

Article ID: 2619062 - Last Review: November 1, 2013 - Revision: 26.0
Applies to
  • Windows Azure
  • Microsoft Office 365
  • Microsoft Office 365 for enterprises (pre-upgrade)
  • Microsoft Office 365 for education  (pre-upgrade)
  • CRM Online via Office 365 E Plans
  • Windows Azure Recovery Services
Keywords: 
o365 o365a o365e o365062011 pre-upgrade o365022013 after upgrade o365m KB2619062

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com