Azure AD Connect Accidental Deletion Protection
Most Hybrid Cloud environments have an Active Directory in a hybrid scenario, so the first server installed in favor of the cloud is the Azure AD Connect server to synchronize accounts in your on-premises Active Directory environment to Azure AD.
By default, the Azure AD Connect server synchronizes all objects from your local Active Directory to the Azure AD. In some situations, you may need to synchronize only specific OU’s from your Active Directory to Azure AD.
If you’ve got many objects from other OU’s and want to filter those objects, you could run into a scenario where the number of deletions exceeds the default threshold of 500 objects.
If you filter more than 500 objects, you will receive an email notification, and the synchronization will stop for this process. The Identity synchronization service detected that the number of deletions exceeded the configured deletion threshold.
There’s a way to see which objects are about to be deleted, as shown in the support article referenced in the information contained in that email. You can run the necessary commands directly from the machine that the Azure AD Connect is installed on.
You can view which objects are about to be deleted.
How to Disable Accidental Deletion
To check the current settings and to change the default settings, follow these actions:
Check default settings – Connect to Azure AD and local environment via PowerShell with the following commands:
$AzureCred = Get-Credential
optional: $Cred = Get-Credential
Check Current Settings – Run the following command to check default settings:
Get-ADSyncExportDeletionThreshold -AADCredential $AzureCred
- Deletion Prevention – enabled by default, and this value prevents the deletion of more than 500 objects.
- ThresholdCount – the limit Value for deletion objects
Change Default Settings – To change the default value to a higher limit, run the following command:
Enable-ADSyncExportDeletionThreshold -AADCredential $AzureCred -DeletionThreshold 1000
To disable these values run the following command:
Disable-ADSyncExportDeletionThreshold -AADCredential $AzureCred
To enable back again, these values run the following command:
Enable-ADSyncExportDeletionThreshold -AADCredential $AzureCred -DeletionThreshold 500
Note: part of this setting based on Microsoft Azure AD Connect sync: Prevent accidental deletes