Issue
A customer reported that Azure AD Connect suddenly stopped replicating changes to Azure AD, including new user creations (i.e. newly created local AD users are not created in Azure AD).
Investigation
In the Office 365 Admin Centre, DirSync Status shows recent directory and password synchronisation.
No warnings or errors have been flagged to the Windows Application log on the Azure AD Connect server.
Synchronization Service Manager shows stopped-deletion-threshold-exceeded against an Export operation.
Looking at the Connector Space against Pending Exports, there are 964 deletes.
A user cleanup had been performed, where over 900 users had been moved to a “leavers” OU that isn’t synched to Azure AD.
Solution
In Azure AD Connect, there is a feature enabled by default to prevent accidental deletes from Azure AD. This prevents Azure AD Connect exports with more than 500 deletes.
This is clearly the issue here.
The feature is designed to protect a customer from accidental Azure AD Connect configuration changes (e.g. changes to filtering where an entire OU or domain is unselected), and changes to local AD (e.g. objects are deleted accidentally, or an OU is renamed causing all objects in it to be considered out of scope), that would affect many objects.
As the deletes are intentional, the threshold needs to be temporarily disabled to allow the Export operation to complete successfully. Following that, the threshold needs to be re-enabled.
To temporarily disable this protection and allow the deletes to be processed, run the following PowerShell cmdlet:
Disable-ADSyncExportDeletionThreshold
Provide Azure AD Global Administrator credentials for the tenant when prompted.
With the threshold disabled, force a full synchronisation:
Start-ADSyncSyncCycle -PolicyType Initial
Monitor the results, wait for the full synchronisation cycle to complete. All is good here and the deletes are processed:
Now re-enable the protection threshold:
Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500
Note: if necessary -DeletionThreshold can be changed. This should be configured to fit the size of the organisation. The sync scheduler runs every 30 minutes, therefore this value is the number of deletes seen every 30 minutes.
