By default, the Azure AD Connect has a limit of 500 objects that can be deleted in single shot in your Active Directory without triggering a confirmation. In my customer’s case, he deleted 1268 accounts and start receiving alerts from Microsoft Online Services Team, in this article we are going over the issue and the steps to solve it, before starting the fix make sure that you have the synchronization account handy because it will be required to complete this tutorial.
Note: the credential will be asked every single time that a cmdlet is executed.
After deleting the objects, the message received on the alert was similar to this one below.
In order to confirm the situation, we can open the miisclient.exe, and on the Connector related to Azure Active Directory (has the suffix – AAD) we will see stopped-deletion-threshold-exceeded, as depicted in the image below.
Logged on the server that has the AAD Connect installed, run the following cmdlet to list the current thresholdcount (by default is 500).
In order to disable the feature, use the following cmdlet, you will be prompted to enter the Azure AD Sync or similar role to authenticate.
After disabling the feature, we can always check the status by running the same Get-ADSyncExportDeletionThreshold cmdlet, as follows.
Now that the feature is disabled, we can go to the Azure AD Connector, right-click on it and on the new window and click on Export.
The process may take a while, you can check the progress by looking at the Deletes increasing on the Export Statistics.
After completion we can re-enable the feature, by running the cmdlet below (in our case we defined as 666). The entire operation can be seen on the image below.
Get-ADSyncExportDeletionThreshold –DeletionThreshold 666