Is anyone wondering how to remove orphaned local AD accounts that were synchronized to Azure AD using DirSync? Let’s see how we can achieve this with some simple steps and little bit of PowerShell.
Your on-premise AD DS server is no longer functional. That means loacl AD is dead.
When AD DS is no longer available you cannot remove any objects that has been synced to Azure AD. Usually if you want to deleted a synced object you should do that in local AD.
Let’s see how we rectify this issue.
When an account is orphaned you no longer see the Delete option.
- If you haven’t done already, install the Azure Active Directory Module for Windows PowerShell. You can find guidelines here.
- Open Windows Azure AD PowerShell & connect to your Azure AD tenant. If you do not know how to do that refer here.
- Remember for step 2 you cannot use the Microsoft Account associated with your Azure Subscription. You should authenticate using a global admin account for the particular azure AD tenant. Otherwise you’ll get an error like below.
- Disable DirSync using below PowerShell cmdlet. Note that it can take up to 72 hours to complete this operation depending the size f your directory.
Set-MsolDirSyncEnabled –EnableDirSync $false
- To verify DirSync has been fully disabled or not run below cmdlet. If it is disabled you should get a false value. This might take a while.
- Alternatively you can disabled Dirsync via Azure Portal as well. Select the directory > select DIRECTORY INTEGRATION > Select DEACTIVATED from Directory Synchronization section.
- Now you can see that orphaned account that were listed as local AD account are converted to Windows Azure AD accounts and the delete option is available.Assuming you want to delete the directory you can safely do that as well. But remember if you have subscribed into any Microsoft Online Service like Office 365, Azure AD Premium, Intune etc… you cannot delete the directory and currently it’s a limitation in Azure AD.