Preventing accidentally deleted accounts from syncing via DirSync

Believe it or not, I’ve done some pretty dumb things. I’ve deleted all kinds of things that I should not have, and I’m fairly confident that I’ll do more dumb things in the future. The best I can do is know that I am going to screw things up and try to figure out ways to make sure I can recover from screw ups when they happen. It that vein, I was pretty happy to discover a new DirSync setting that helps prevent the accidental deletion of large numbers of AD accounts from Azure AD and/or Office 365.

DirSync cannot prevent you from deleting Active Directory objects, but there are features of Active Directory that are designed to prevent that issue. What DirSync can do, however, is not sync deletions when you delete more than a set number of accounts at once. The new Set-PreventAccidentalDeletes cmdlet allows you to set the maximum number of staged deletions that DirSync will sync into Azure AD. If you set your threshold to 10, then delete 11 AD accounts, DirSync will fail to sync them and it will send you an email telling you what happened.

The process to set this feature up is as follows

On your DirSync server, open PowerShell and then type Import-Module DirSync

Type Set-PreventAccidentalDeletes –Enable –ObjectDeletionThreshold <integer>

…and presto, your DirSync server will no longer sync staged deletes if there are more than then number you put in as <integer>.

If at some point down the road you do have a large number of deletes that need to be completed and sent you Azure AD, the process to reverse this change is

On your DirSync server, open PowerShell and then type Import-Module DirSync

Type Set-PreventAccidentalDeletes –Disable

…and you deletes will be removed in Azure AD after the next sync.