none
Delete on-prem AD user but retain Azure AD user

    Question

  • Here is the situation:

    We use Azure AD Connect for our hybrid environment.  We have a need to get rid of a lot of users on our on-prem AD environment but retain their users in the cloud.  These are remote users that rarely touch our domain controller and we'd like them to be able to manage their own passwords.  Before anyone suggests it, we don't want to implement password writeback with Azure AD Premium.

    I've been trying to accomplish this using some instructions that somebody scrapped together in 2016 and they look like this:

    1. Delete the user in AD (or move them to an OU that doesn't sync to Azure AD)

    2. Refresh the schema in Azure AD Connect

    3. Force a delta sync

    4. Restore the user from the deleted users category in the 365 Admin Center

    5. Force another delta sync

    The problem is that on the step 5 delta sync, we get the error "exported-change-not-reimported" on the delta import step of the cloud connector and the user gets deleted again.

    Does anyone know how to do what I'm trying to accomplish?  I can't seem to find a way to do it and google searching only turns up the process I just described (which doesn't work).

    Thanks,

    Adam

    Thursday, April 20, 2017 6:12 PM

Answers

  • Our domain isn't federated.  Your solution would probably work, but we found an easier way--I just forgot to update this thread.

    The problem is hard to explain, but if you know how the sync process works, you'll understand.

    We moved the user to a non-sync OU, then ran a delta sync (import connector for local AD showed 1 delete--import connector for azure AD showed no change).  If we restored the user at this point, we got the error on the next delta sync and the user was re-deleted.  This is because the azure AD connector thought the user still existed in the cloud since we hadn't run another delta sync to "inform" it.

    What we had to do was run another delta sync right after the first one so that the import connector for azure AD was "informed" of the user being deleted in the cloud.  Once we did that, we could restore the user in 365 and any further delta syncs ran without error and the user remained active in the cloud.

    I hope that makes sense.

    To make a long story short, the correct process looks like this:

    1. Move the user to a non-sync OU (or delete the user)

    2. Run TWO delta syncs in a row

    3. Restore the user from "Deleted Users" in the 365 admin center

    4. Run another delta sync and confirm the user is still active in 365

    Thanks for the assistance everyone =)

    -Adam


    • Marked as answer by Adam C Carter Tuesday, April 25, 2017 6:32 PM
    • Edited by Adam C Carter Tuesday, April 25, 2017 6:33 PM updated info
    Tuesday, April 25, 2017 6:31 PM

All replies

  • Hi Adam,

    Have you tried to run a full synchronization?

    Saturday, April 22, 2017 8:47 AM
  • You will have to disable synchronization in your tenant and then move the on-premises users out of scope before re-enabling sync.  Otherwise, if you move them out of scope with sync enabled, they'll be treated as a delete (which is what you're experiencing).

    If your domain is federated, you may experience problems because the tenant settings will refer the users back to on-premises for authentication.  In this case, password hash sync is probably the best solution for your tenant, or move your "unsynced" users to a different, unfederated domain in your tenant.

    If you follow the link to "how to sync enabled on AD users only", that will effectively de-scope the users and you'll end up with deleted users again.  Plus, any time you disable an on-premises account, they'll get deleted in the cloud (since they'll be descoped).
    Tuesday, April 25, 2017 6:18 PM
  • Our domain isn't federated.  Your solution would probably work, but we found an easier way--I just forgot to update this thread.

    The problem is hard to explain, but if you know how the sync process works, you'll understand.

    We moved the user to a non-sync OU, then ran a delta sync (import connector for local AD showed 1 delete--import connector for azure AD showed no change).  If we restored the user at this point, we got the error on the next delta sync and the user was re-deleted.  This is because the azure AD connector thought the user still existed in the cloud since we hadn't run another delta sync to "inform" it.

    What we had to do was run another delta sync right after the first one so that the import connector for azure AD was "informed" of the user being deleted in the cloud.  Once we did that, we could restore the user in 365 and any further delta syncs ran without error and the user remained active in the cloud.

    I hope that makes sense.

    To make a long story short, the correct process looks like this:

    1. Move the user to a non-sync OU (or delete the user)

    2. Run TWO delta syncs in a row

    3. Restore the user from "Deleted Users" in the 365 admin center

    4. Run another delta sync and confirm the user is still active in 365

    Thanks for the assistance everyone =)

    -Adam


    • Marked as answer by Adam C Carter Tuesday, April 25, 2017 6:32 PM
    • Edited by Adam C Carter Tuesday, April 25, 2017 6:33 PM updated info
    Tuesday, April 25, 2017 6:31 PM
  • Much appreciated.
    Wednesday, April 26, 2017 10:02 AM
    Moderator