Azure AD Connect

Question

Hi, I'm new to Azure/Entra ID. I've inherited a domain that was syncing on-prem AD to Azure/Entra in it's entirety. I've since cleaned up the local AD and narrowed the sync scope, but users who are no longer in the Azure AD Connect sync scope are not being deleted/removed from Entra. I've seen conflicting info online... can the sync remove users no longer in scope in Entra? Or is it a manual process?

Any insight would be appreciated!

Answer 1

Generally speaking, removing a user from the sync scope should result in deleting his account in Entra. There are however some scenarios where this will not happen or a full sync might be required. The best thing to do here is check the Metaverse/Connector spaces for a given user, example steps are detailed here: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/tshoot-connect-object-not-syncing#connector-space-object-properties

A somewhat streamlined experience for the same steps is available via the Troubleshoot task: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/tshoot-connect-objectsync

In any case, you can remove users directly from Entra, if needed.

Answer 2

I flushed our sync configuration, reinstalled azure connect on a new machine with a new config, then synced the entire domain. Once the entire domain was re-synced, I then narrowed the synchronization scope again which removed the users properly. No idea why they weren't being removed with the previous configuration...