Removing orphaned local AD accounts from Azure AD

Is anyone wondering how to remove orphaned local AD accounts that were synchronized to Azure AD using DirSync? Let’s see how we can achieve this with some simple steps and little bit of PowerShell.

Scenario

Your on-premise AD DS server is no longer functional. That means loacl AD is dead.

Problem

When AD DS is no longer available you cannot remove any objects that has been synced to Azure AD. Usually if you want to deleted a synced object you should do that in local AD.

Let’s see how we rectify this issue.

When an account is orphaned you no longer see the Delete option.

Azure AD Delete User 7

  1. If you haven’t done already, install the Azure Active Directory Module for Windows PowerShell. You can find guidelines here.
  2. Open Windows Azure AD PowerShell & connect to your Azure AD tenant. If you do not know how to do that refer here.
  3. Remember for step 2 you cannot use the Microsoft Account associated with your Azure Subscription. You should authenticate using a global admin account for the particular azure AD tenant. Otherwise you’ll get an error like below.Azure AD Delete User 4 Azure AD Delete User 5
  4. Disable DirSync using below PowerShell cmdlet. Note that it can take up to 72 hours to complete this operation depending the size f your directory.
    Set-MsolDirSyncEnabled –EnableDirSync $false
  5. To verify DirSync has been fully disabled or not run below cmdlet. If it is disabled you should get a false value. This might take a while.
    (Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

    Azure AD Delete User 6

  6. Alternatively you can disabled Dirsync via Azure Portal as well. Select the directory > select DIRECTORY INTEGRATION > Select DEACTIVATED from Directory Synchronization section.Azure AD Delete User 2 Azure AD Delete User 3
  7. Now you can see that orphaned account that were listed as local AD account are converted to Windows Azure AD accounts and the delete option is available.Azure AD Delete User 7Assuming you want to delete the directory you can safely do that as well. But remember if you have subscribed into any Microsoft Online Service like Office 365, Azure AD Premium, Intune etc… you cannot delete the directory and currently it’s a limitation in Azure AD.