You can't manage or remove objects that were synchronized through the Azure Active Directory Sync tool

Applies to: Cloud Services (Web roles/Worker roles)Azure Active DirectoryMicrosoft Intune More

PROBLEM

Consider the following scenario. You want to manually manage or remove objects that were created through directory synchronization from Azure Active Directory (Azure AD). For example, you want to remove an orphaned user account that was synced to Azure AD from your on-premises Active Directory Domain Services (AD DS). However, you can't remove the orphaned user account by using the Microsoft cloud service portal in Office 365, Azure, or Microsoft Intune or by using Windows PowerShell.

CAUSE

This issue may occur if one or more of the following conditions are true:
  • Cause 1: The on-premises AD DS is no longer available. Therefore, you can't manage or delete the object from the on-premises environment.
  • Cause 2: You deleted an object from the on-premises AD DS. However, the object wasn't deleted from your cloud service organization. This is unexpected behavior.

SOLUTION

For Cause 1: You want to manage objects in Office 365, Azure, or Intune and you no longer want to use directory synchronization. 
  1. Install the Azure Active Directory Module for Windows PowerShell. For more info, go to the following Microsoft website: 
    Manage Azure AD using Windows PowerShell
  2. Connect to Azure AD by using Windows PowerShell. For more info about how to do this, go to the following Microsoft website:
    Connect to Azure AD
  3. Disable directory synchronization. To do this, type the following cmdlet, and then press Enter: 
    Set-MsolDirSyncEnabled –EnableDirSync $false
  4. Check that directory synchronization was fully disabled by using the Windows PowerShell. To do this, run the following cmdlet periodically: 
    (Get-MSOLCompanyInformation).DirectorySynchronizationEnabled
    This cmdlet will return True or False. Continue to run this cmdlet periodically until it returns False, and then go to the next step.

    Note It may take 72 hours for deactivation to be completed. The time depends on the number of objects that are in your cloud service subscription account.
  5. Try to update an object by using Windows PowerShell or by using the cloud service portal.
Note
  • Step 4 may take a while to be completed. There is a process in the cloud service environment that computes attribute values. The process must be completed before the objects can be changed by using Windows PowerShell or by using the cloud service portal.
For Cause 2: You delete an object from an on-premises AD DS. However, the object isn't deleted from your cloud service subscription account.

Force directory synchronization by using the steps on the following Microsoft website:
Synchronize your directories
  • If some updates and deletions are propagated, but some deletions aren't synchronized to the cloud service, perform typical directory synchronization troubleshooting procedures.
  • If all updates and deletions aren't synchronized to the cloud service, contact Support.
Note As an alternative resolution for this scenario, an object can be manually deleted in the cloud service. However, the object can't be updated in the cloud service. For more information about how to resolve this issue, see the following Microsoft Knowledge Base article:
2709902  Object deletions aren't synchronized to Azure AD when using the Azure Active Directory Sync tool

MORE INFORMATION

To re-enable directory synchronization, run the following cmdlet:
Set-MsolDirSyncEnabled -EnableDirSync $true
Warning It's important to plan carefully when you re-enable directory synchronization. If you used the cloud service portal or Windows PowerShell to make any changes directly to the objects that were originally synchronized from on-premises AD DS, the changes will be overwritten by on-premises attributes and settings the first time that synchronization occurs after directory synchronization is re-enabled.

Still need help? Go to Microsoft Community or the Azure Active Directory Forums website.