Temporarily Disable the Azure AD Connect Accidental Deletion Protection Feature with PowerShell

You’ve implemented Azure AD Connect to synchronize accounts in your on-premises Active Directory environment to Azure AD. If you took the defaults while running the setup wizard for Azure AD Connect, then everything in your Active Directory environment is synchronized. If you decided to filter the synchronization later to only specific OU’s (Organizational Units) in your Active Directory environment, you could run into a scenario where the number of deletions exceeds the default threshold of 500 objects.

If this occurs, you’ll receive an email stating the following:

The Identity synchronization service detected that the number of deletions exceeded the configured deletion threshold. A total of 1004 objects were sent for deletion in this Identity synchronization run. This met or exceeded the configured deletion threshold value of 500 objects. We need you to provide confirmation that these deletions should be processed before we will proceed. Please see Preventing Accidental Deletions for more information about the error listed in this email message.

There’s a way to see which objects are about to be deleted as shown in the support article referenced in the information contained in that email. You can run the necessary commands directly from the machine that the Azure AD Connect is installed on. Log into a server with RDP, are you kidding me? While I could simply using the Enter-PSSession cmdlet to establish a PowerShell One-To-One remoting session, I decided to use implicit remoting instead to accomplish this task.

In addition to using implicit remoting, why not use PowerShell Core 6.0 while we’re at it, although this particular version of PowerShell certainly isn’t required.

First, I’ll stored my Azure credentials that have the necessary rights to perform this task in a variable.

I’ll also store admin credentials for the on-premises server running Azure AD Connect in a variable.

I’ll use a PowerShell one-liner to both create a PSSession to my on-premises server running Azure AD Connect and import the ADSync module with Implicit remoting.

My recommendation is to always check the value of an item before making a change to it so you can always get back to where you started.

Either increase the threshold or disable the setting altogether while the mass deletion occurs. Proceed at your own risk.

Verify the setting is indeed disabled.

Once the deletions have completed, be sure to re-enable the protection otherwise it’s an accident waiting for a place to happen.

Last, but not least, verify the protection is indeed enabled.


Leave a Reply

%d bloggers like this: