Success stories

Our customers come in all shapes and sizes.

We work with organisations from all walks of life, with different ambitions and requirements. Explore how we’ve helped them reimagine everyday, and align technology with their culture and business goals.

Azure Active Directory error

AAD Sync Error: Deletion Threshold Reached

Solution to an Azure Active Directory sync error. Learn what to do when the you reach the deletion threshold.
View case study >
Azure Active Directory error

AAD Sync / AAD Connect – Passwords not syncing with attribute filtering

Some AAD Sync and AAD Connect customers using Attribute Filtering are experiencing an error. Learn how to set up a script to automate a full password sync to work around this behaviour.
View case study >
Azure Active Directory error

AAD Sync Error: Deletion Threshold Reached

I ran into a problem recently with a customer running AAD Connect. When we were trying to Export to the Azure Active Directory, the status of the Connector Operations showed “stopped-server-down”.

stopped-server-down

At the same time, I was called by the technical contact who said he had received a strange email from MSOnlineServicesTeam with the following message:

At Thursday, 19 November 2015 13:58:10 GMT the Identity synchronization service detected that the number of deletions exceeded the configured deletion threshold for Company Name [tanantname.onmicrosoft.com]. A total of 789 objects were sent for deletion in this Identity synchronization run. This met or exceeded the configured deletion threshold value of 500 objects.

We need you to provide confirmation that these deletions should be processed before we will proceed.

We are currently completing the rollout of AAD Connect with the customer and helping them remove any erroneous accounts from the scope in order to keep numbers on Office 365 down. Hence the large number of deletions!

Despite the long winded and unclear errors, the solution to this problem is quite simple. You can either disable the threshold completely by running the following command, and provide credentials for a global admin account for Office 365 when prompted:

Import-Module ADSync
Disable-ADSyncExportDeletionThreshold

Alternatively you could change the threshold to allow your changes using the following command:

Import-Module ADSync
Enable-ADSyncExportDeletionThreshold -DeletionThreshold $number

If you do disable your deletion threshold completely, remember to re-enable the threshold again afterwards running:

Enable-ADSyncExportDeletionThreshold

Hopefully this will save you some time when you run in to this issue in your environments!

To have a look at my other blogs on a similar topic, you can see them here;  AAD sync and connect – passwords not syncing with attribute filtering

Book a discovery call advert

Azure Active Directory error

AAD Sync / AAD Connect – Passwords not syncing with attribute filtering

After the release of AAD Sync and AAD Connect (Azure Active Directory Sync and Azure Active Directory Connect) we have noticed several customers using Attribute Filtering are experiencing an error
when bringing people into the scope of synchronisation with the appropriate attribute.Microsoft describe this here as expected behaviour.

Users are moved between filtered and unfiltered scopes

In this scenario, the user is moved to a scope that now allows the user to be synced. This could be when filtering is set up for domains, organisational units, or attributes.

To resolve this, see the ‘How to perform a full password sync’ section of the ‘More Information‘ section.

Below is steps to set up a script to automate a full password sync to work around this behaviour.

The Script

First you need to save a script that contains the code to run a full password sync. This is as follows:

$adConnector  = “addomain.com”

$aadConnector = “tenantname.onmicrosoft.com – AAD”

 

Import-Module adsync

$c = Get-ADSyncConnector -Name $adConnector

$p = New-Object Microsoft.IdentityManagement.PowerShell.ObjectModel.ConfigurationParameter “Microsoft.Synchronize.ForceFullPasswordSync”, String, ConnectorGlobal, $null, $null, $null

$p.Value = 1

$c.GlobalParameters.Remove($p.Name)

$c.GlobalParameters.Add($p)

$c = Add-ADSyncConnector -Connector $c

 

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $false

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector $adConnector -TargetConnector $aadConnector -Enable $true

Once you have this saved on your AAD Connect server you can then set up a scheduled task to run every time there is a successful directory synchronisation (Event ID 114).

First you need to know that this isn’t a bug, and is expected behaviour! Once you know this, the solution is an easy fix.

Hopefully with the above instructions you can save your service desk time troubleshooting password issues in your organisation!

If you’have any other Active Directory problems, have a look here – Error installing Exchange – this user account isn’t a member of the schema admins or enterprise admins group 

Book a discovery call advert

Cloud Business Logo - white
Microsoft Gold Partner Logo - Cloud Business

Cloud Business Limited
8 North Street
Guildford
GU1 4AF

Microsoft Gold Partner Logo - Cloud Business

2021 © Cloud Business Limited
Registered Company in England and Wales 06798438