Azure AD Connect Accidental Deletion Protection

Most Hybrid Cloud environments have an Active Directory in a hybrid scenario, so the first server installed in favor of the cloud is the Azure AD Connect server to synchronize accounts in your on-premises Active Directory environment to Azure AD.

By default, the Azure AD Connect server synchronizes all objects from your local Active Directory to the Azure AD. In some situations, you may need to synchronize only specific OU’s from your Active Directory to Azure AD.

If you’ve got many objects from other OU’s and want to filter those objects, you could run into a scenario where the number of deletions exceeds the default threshold of 500 objects.

If you filter more than 500 objects, you will receive an email notification, and the synchronization will stop for this process. The Identity synchronization service detected that the number of deletions exceeded the configured deletion threshold.

There’s a way to see which objects are about to be deleted, as shown in the support article referenced in the information contained in that email. You can run the necessary commands directly from the machine that the Azure AD Connect is installed on.

Prevent Accidental deletes email

You can view which objects are about to be deleted.

Search Connector Space

How to Disable Accidental Deletion

To check the current settings and to change the default settings, follow these actions:

Check default settings – Connect to Azure AD and local environment via PowerShell with the following commands:

$AzureCred = Get-Credential
optional: $Cred = Get-Credential
Note: Make sure that the AAD Connect (ADSync) module is imported to the PowerShell session if not install with the command: Import-Module .\ADSync.psd1

Check Current Settings – Run the following command to check default settings:

Get-ADSyncExportDeletionThreshold -AADCredential $AzureCred

  • Deletion Prevention – enabled by default, and this value prevents the deletion of more than 500 objects.
  • ThresholdCount – the limit Value for deletion objects

Change Default Settings – To change the default value to a higher limit, run the following command:

Enable-ADSyncExportDeletionThreshold -AADCredential $AzureCred -DeletionThreshold 1000

To disable these values run the following command:

Disable-ADSyncExportDeletionThreshold -AADCredential $AzureCred

To enable back again, these values run the following command:

Enable-ADSyncExportDeletionThreshold -AADCredential $AzureCred -DeletionThreshold 500

Note: part of this setting based on Microsoft Azure AD Connect sync: Prevent accidental deletes

Azure AD Connect Accidental Deletion Protection

Most Hybrid Cloud environments have an Active Directory in a hybrid scenario, so the first server installed in favor of the cloud is the Azure AD Connect server to synchronize accounts in your on-premises Active Directory environment to Azure AD.

By default, the Azure AD Connect server synchronizes all objects from your local Active Directory to the Azure AD. In some situations, you may need to synchronize only specific OU’s from your Active Directory to Azure AD.
If you’ve got many objects from other OU’s and want to filter those objects, you could run into a scenario where the number of deletions exceeds the default threshold of 500 objects.
If you filter more than 500 objects, you will receive an email notification, and the synchronization will stop for this process. The Identity synchronization service detected that the number of deletions exceeded the configured deletion threshold.
There’s a way to see which objects are about to be deleted, as shown in the support article referenced in the information contained in that email. You can run the necessary commands directly from the machine that the Azure AD Connect is installed on.
Prevent Accidental deletes email
You can view which objects are about to be deleted.
Search Connector Space

How to Disable Accidental Deletion

To check the current settings and to change the default settings, follow these actions:
Check default settings – Connect to Azure AD and local environment via PowerShell with the following commands:

$AzureCred = Get-Credential
optional: $Cred = Get-Credential
Note: Make sure that the AAD Connect (ADSync) module is imported to the PowerShell session if not install with the command: Import-Module .\ADSync.psd1

Check Current Settings – Run the following command to check default settings:

Get-ADSyncExportDeletionThreshold -AADCredential $AzureCred

  • Deletion Prevention – enabled by default, and this value prevents the deletion of more than 500 objects.
  • ThresholdCount – the limit Value for deletion objects

Change Default Settings – To change the default value to a higher limit, run the following command:

Enable-ADSyncExportDeletionThreshold -AADCredential $AzureCred -DeletionThreshold 1000

To disable these values run the following command:

Disable-ADSyncExportDeletionThreshold -AADCredential $AzureCred


To enable back again, these values run the following command:

Enable-ADSyncExportDeletionThreshold -AADCredential $AzureCred -DeletionThreshold 500

Note: part of this setting based on Microsoft Azure AD Connect sync: Prevent accidental deletes

You may also like...

Leave a Reply

error: Content is Protected !!
%d bloggers like this: