HOWTO: Properly set and manage Azure AD Connect’s Export Deletion Threshold

Hybrid Identity

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we start looking at Azure AD Connect in-depth.

 

Why look at the Export Deletion Threshold

Azure AD Connect is responsible for synchronizing objects and their attributes. It uses rules to act in a certain way, based on certain input to guarantee certain output. In some cases, the straightforwardness of the rules may result in unwanted scenarios, such as deletion of all objects from Azure AD.

To circumvent this last situation, Microsoft has built in a deletion threshold into Azure AD Connect. When the threshold is reached while running an Export operation (writing to a connected directory), Azure AD Connect stops synchronizing to prevent further harm.

Now, there is a sweet spot to Azure AD Connect’s export deletion threshold:

  • You don’t want to set the deletion threshold too low. Organizations rely on Azure AD Connect for their Identity and Access Management (IAM) processes. When synchronization stops, the process stops. Onboarding, offboarding, group membership changes; they all stop. You might hit the threshold often, when it is set too low.
  • You don’t want to set the deletion threshold too high, either. If something does go wrong, you don’t want to lose most of the objects before finding out.

By default, Azure AD Connect’s object deletion threshold is set it at 500 objects.

 

Getting ready

To change the Export Deletion Threshold, you’ll need to have local privileges on each Windows Server running Azure AD Connect. You’ll need to be member of the local ADSyncAdmins group, or a member of the custom local group you may have selected as the Azure AD Connect Administrators group, during the installation of Azure AD Connect:

Azure Active Directory Connect Wizard - Specify custom sync groups during installation (click for original screenshot)

On the Azure AD side of things, you’ll need an account that has the Global administrator role assigned.

Additionally, make sure the Windows PowerShell Module for Active Directory is installed on each of the Azure AD Connect installations, to be able to run the below scripts.

 

Properly managing the Export Deletion Threshold

I feel there are three aspects to properly managing Azure AD Connect’s Export Deletion Threshold:

Set the threshold at 10% of your objects

A 500 object threshold does not make much sense in an organization with 50 people. The same threshold also doesn’t make sense in an organization with 900,000 people.

As a rule of thumb I configure Azure AD Connect’s Export Deletion Threshold at 10% of the number of median objects in Active Directory.

With default rules, Azure AD Connect synchronizes user objects, inetorgperson objects, contacts, groups and devices. User objects are the main concern for most organizations, but losing groups and devices might also hurt processes. Taking the number of objects in each of these three object types into consideration, we commonly observe that organizations have more groups than users (although a lot of groups will be empty) and more users than devices. This means 10% of your person objects in the metaverse (user objects and/or inetorgperson objects) is a safe value, but your needs may vary.

The below script provides information on the number of users, groups and devices within scope of your Azure AD Connect installation:

$c = Get-ADSyncConnectorName domain.tld
$ous = ($c).Partitions.ConnectorPartitionScope.ContainerInclusionList

 

$ADUsers = @()
$ADGroups = @()
$ADComputers = @()

 

ForEach ($ou in $ous){
$ADUsers += (Get-ADUser -SearchBase $ou -Filter *)

}

ForEach ($ou in $ous){
$ADGroups += (Get-ADGroup -SearchBase $ou -Filter *)
}
ForEach ($ou in $ous){
$ADComputers += (Get-ADComputer -SearchBase $ou -Filter *)

}


Write-Host


Write-Host
“Total number of users is” $ADUsers.count

Write-Host
“Total number of groups is” $ADGroups.count

Write-Host
“Total number of devices is” $ADComputers.count

 

Set it once for all your Azure AD Connect installations

When you have Staging Mode Azure AD Connect installations, you only need to configure the Export Deletion Threshold on one of your Azure AD Connect installations.

The Export Deletion Threshold is a per-Azure AD tenant setting. This is good news, as a Staging Mode Azure AD Connect installation gains the information automatically. It doesn’t perform exports today, but it could, one day, when it’s no longer in Staging Mode, but actively synchronizing.

 

Monitor threshold-related incidents

While it would seem advantageous to disable the Export Deletion Threshold in the actively synchronizing Azure AD Connect when making big changes, this defeats the purpose of the feature.

Include a step in your Azure AD Connect upgrade and management procedures to perform a synchronization cycle. The documentation on Azure AD Connect conveys when a Full Synchronization cycle needs to happen and when the normal delta synchronization cycles suffice.

Monitor for threshold-related incidents, in any of the below four ways:

1. Event log

Azure AD Connect writes to the event log on Windows Servers on which it is installed. You will see, in chronological order:

  • A warning event with Event-ID 116 and source Directory Synchronization in the Application event log, showing you the current Export Deletion Threshold in relation to the amount of object deletions it is trying to export:

EventID 116 with source Directory Synchronization (click for original screenshot)

  • An error event with Event-ID 906 and source Directory Synchronization in the Application event log with specific error code 95:

EventID 906 with source Directory Synchronization (click for original screenshot)

  • An error event with Event-ID 6950 and source ADSync. in the Application event log, reiterating that the number of deletes exceed the deletion threshold count with error code 0x80231366 in several code blocks and files within Azure AD Connect:

EventID 6950 with source ADSync (click for original screenshot)

2. Error in Azure AD Connect Synchronization Service

An export profile would show stopped-deletion-threshold-exceeded status in Azure AD Connect’s Synchronization Service Manager interface ().

3. Azure AD Connect Health

for organizations with Azure AD Premium licenses, Azure AD Connect Health shows a warning on the Alerts blade for Azure Active Directory Connect Servers in the Azure Portal:

Export to Azure Active Directory failed.

  

Issue
The export operation to Azure Active Directory Connector has failed. As a result, some objects may not be exported successfully to Azure Active Directory.
Fix
Please investigate the event log errors of export operation for further details.

4. Email

Eventually, an alert e-mail is sent to the technical contact for the Azure AD tenant, titled Servername: Export to Azure Active Directory failed – You have an important alert from Azure Active Directory, sent from azure-noreply@microsoft.com:

Example alert mail message when you exceed Azure AD Connect's Export Deletion Threshold

How to view the Threshold Configuration

To view the Export Deletion Threshold configuration on an Azure AD Connect installation, run the following line of Windows PowerShell on an elevated prompt:

Get-ADSyncExportDeletionThreshold

 

How to disable the Export Deletion Threshold

To disable the Export Deletion Threshold on an Azure AD Connect installation, run the following line of Windows PowerShell on an elevated prompt:

Disable-ADSyncExportDeletionThreshold

Provide the credentials of an Azure AD account with the Global Administrator role assigned to complete the command.

 

How to enable and set the Deletion Threshold

To set the number of objects for the Export Deletion Threshold on an Azure AD Connect installation, perform these steps:

Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500

Provide the credentials of an Azure AD account with the Global Administrator role assigned to complete the command.

 

How to overcome hitting the Deletion Threshold

Your changes are desired

When you’re notified or experience the Export Deletion threshold, and the deletes are desired, you can perform the above three actions as parts of the steps below:

  • Sign in to the actively synchronizing Azure AD Connect installation.
  • Open an elevated Windows PowerShell window.
  • View the Export Deletion Threshold value.
  • (Disable the Export Deletion Threshold or configure the Export Deletion Threshold to a value that is higher than the number of deletions to be exported.
  • Perform a synchronization cycle using the following line of Windows PowerShell

Start-ADSyncSyncCycle

  • Enable and set the Export Deletion Threshold when you’ve disabled the Export Deletion Threshold previously, or set it back to the number it was configured to, when you’ve reconfigured it to a higher number in the previous steps.
  • Close the Windows PowerShell window.
  • Sign out.

Set the Export Deletion Threshold to the same value as set previously, or use the information on the situation as a lesson-learned and increase or decrease the threshold value accordingly.

When the deletions are a result of a configuration change, perform the same configuration change on the Staging Mode Azure AD Connect installation(s), unless the configuration change is one that is stored in Azure AD.

Your changes are undesired

When you’re notified or experience the Export Deletion threshold, and the deletes are undesired, roll back the configuration changes, or switch the actively synchronizing Azure AD Connect installation with a Staging Mode installation that still has the previous configuration.

 

Concluding

Azure AD Connect’s Export Deletion Threshold is a truly cool feature that might save your behind some day.

Don’t disable it. Tweak it. For many of the blogposts to come in this series, you’ll be glad you did.

Further reading

Azure AD Connect sync: Prevent accidental deletes

Series Navigation

<< HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and EdgeHOWTO: Use Domain and OU Filtering to limit the objects in scope for Azure AD Connect >>

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.