A couple of weeks ago I deployed Azure AD Connect in production. It was a relatively smooth process. The wizard did most of the work which was great. There was a few hiccups (blog post) along the way, which, in most cases is expected if the problems are not so serious.
Fast forward to my second install of the latest and greatest sync service for Azure AD and Office 365 cloud identities and we have problem no. 2. This time, though, I can say that the process ran through allot smoother. There was no real errors. Things were looking straight great and I was looking at my next task with some enthusiasm.
However, come 8.30ish this morning and going over the AADConnect server once more for peace of mind, I had noticed that the “Export” profile task that runs as the last task in the scheduled hourly run for AADConnect synchronisation (I’ve set it to 60min), unfortunately had a nice little error for me:
When I deployed AADConnect in this instance, the initial sync that ran from ADDS pulled everything in the on-premises ADDS environment. It was a relatively small sync with only 11,000 objects. Allot of these though were server and workstation objects that didn’t need to be there, as well as the usual service accounts and admin objects that don’t need to be in Office 365 / Azure AD.
As I was in a meeting the process ran in less than an hour and as you would expect, Azure AD had allot of unnecessary stuff in there. Not to worry, its not too difficult to change the selection and only sync certain OU’s. That done, and some manual Full Import and Full Sync profile tasks run, all was sweet. So I thought..
Added in AADSync was a new feature called “prevent accidental deletions”. This feature is designed to prevent large number of deletions in Azure AD based on the threshold the administrator sets (500 objects by default). So when I had updates the selected OU’s for sync, basically removing half of those selected, I had reduced the 11K worth of objects down to about 6.5k. That’s allot more objects than the 500 object limit to delete. When this happens, the export task does nothing and the cleanup work in the backend doesn’t really happen. No ideal.
Back in AADSync days (AADConnect is now the new supreme sync service) this threshold of 500 objects to not accidentally delete was able to be set via the DirSync Powershell module. Digging around I’ve found that the AADSync Powershell module features are a little different. The same Powershell cmdlet is not available.
Googling my way around the interwebs for most of the morning, I’ve found some references to what needs to be amended. The solution is to disable the threshold temporarily, then enable it again after a successful Export profile task. The disable Powershell is as follows:
# Import the module
Import-Module ADSync
# Disable ADSync export deletion threshold
Disable-ADSyncExportDeletionThreshold
To enable the again, enter the following Powershell:
# Import the module
Import-Module ADSync
# Enable ADSync export deletion threshold
Enable-ADSyncExportDeletionThreshold
Azure AD Connect is a great tool with some really deep functionality. There’s allot more to it than meets the eye (no that’s not a Transformers reference.. well, I don’t think so). I hope this solution has helped you on your journey to Office 365 / Azure. If there’s anything else you’d like to know, please feel free to leave a comment below.