Share via

Cloud Sync - Delete threshold exceeded after pilot migrating from EntraID Connect to Cloud Sync

KO 5 Reputation points
2024-03-18T09:06:39+00:00

Hi,

we recently migrated from Entra ID Connect to the later version Cloud Sync.

For that we set up a small test environment, consisting of two test OUs, 6 test users and 6 test groups. Following the Microsoft Documentation we created sync rules on the EntraID Connect Server, making sure users, groups, contacts of the test OU are not exported anymore. Same time we added these test OUs to the scoping filter of Cloud Sync. So far everything works fine, user attributes are now synced with Cloud Sync and all OnPrem groups and licenses still remain for the migrated user objects.

But out of a sudden, we got a message in Cloud Sync that the accidental threshold was exceeded. 1807 objects are staged for deletion. I looked up some of the objects, these are groups and users synced with Entra ID Connect.

I don't understand why Cloud Sync is trying to delete objects that are out of its scope and synced with the other tool Entra ID Connect. Before deleting anything I would like to fully understand what is going on here and if this is an expected behaviour or if the deletion would mess up the whole tenant. Does someone has already experience with this and can explain this behaviour?

Thank you very much in advance!

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 35,646 Reputation points Microsoft Employee Moderator
    2024-03-18T09:17:05.2633333+00:00

    @Oltmann, Kevin Thank you for reaching out to us, would like to review your configuration over the teams call so that we assist you better, however you mentioned above that you a created a sync rule to stop the export, which is not clear to me ?

    If you are in the migration phase why not use staging mode option to stop the exports completely from the entra connect server.

    It seems like the accidental delete prevention feature in Entra Connect cloud sync has been triggered due to the number of objects staged for deletion exceeding the threshold. This feature is designed to prevent accidental deletions of large numbers of objects in your on-premises directory that would affect many users and groups.

    Regarding the objects that are staged for deletion, it's possible that they were inadvertently included in the scoping filter of Cloud Sync. It's also possible that they were previously synchronized with Entra ID Connect and were not properly excluded from the synchronization scope of Cloud Sync.

    To investigate further, you can check the synchronization rules and scoping filters in both Entra ID Connect and Cloud Sync to ensure that the objects in question are properly excluded from synchronization. You can also review the logs and notifications in Cloud Sync to determine which objects are staged for deletion and why.

    Before taking any action, it's recommended to thoroughly investigate the issue and understand the potential impact of deleting the objects.

    We can connect offline and discuss further on this and understand the configuration and figure out how object deletion is being triggered.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.