Windows Azure Directory – Remove no longer synced objects

In one of my last blog-post I described how to configure the initial synchronization of an Active Directory Service with Windows Azure Directory ( But what if you have already synced your Domain, and you made your configuration afterwards? Yes, unfortunately, the Accounts in the Azure Directory will not be deleted. This is caused of the Forefront Identity Manager Metaverse. But we come to this later on.

First, if you try to delete an account through the web console, you are not able to:
Azure Directory delete user

So, this means, you have to remove the object from the FIM Metaverse. Normally, you delete an object from Active Directory FIM recognize that the object is missing through the missing connector, and within Standard configuration, the object will be deleted in the Metaverse and when the next sync is scheduled also in the Windows Azure Directory. But in this case, the objects are still existing in Active Directory, but I will have to removed them from the metaverse. This means, we have to delete the connector from the object. You can achieve this through the gui.
Navigate to “Metaverse Search” and click on “Add Clause”:
Metaverse search
Be sure that you choose Displayname as Attribute, and then configure your search, in my case Show all objects starting with svc:
Add clause
Double click an entry, and open the tab connectors:
Activate the line with the “Active Directory Connector” Management Agent and click on “Disconnect…”:
Metaverse object properties
In the disconnect object accept question, choose “Disconnector (Default)” to remove the connector. Explicit Disconnector will lock the object to be a connector again.
Disconnect Object
You can then rerun your search, and the specific account will not be shown anymore. And after a sync, the object will also be be removed from the azure Directory:
Azure Directory removed user
For more Information about deprovisioning I would recommend this Blog Post on TechNet:

But if you have seen my list, and I can imagine that others will have longer lists to delete, you want to do this with Powershell. Well, there exist only a few cmdlets, and they are not very helpful:

So if you have to delete a huge amount of objects, and you don’t want to do this manually, we can’t use FIM for simplifying this. But you can then use this way to delete the object automatically, we achieve this, when we make changes to the FIM configuration and delete the object in Windows Azure Directory.
First you have to navigate to “Metaverse Designer” and select the object type you want to delete, in my case Groups, and click on “Configure Object Deletion Rule”:
FIM Metaverse Object Designer
In the “Configure Object Deletion Rule” select the Checkbox besides “Windows Azure Active Directory Connector”. FIM will delete the object in the metaverse, because the connector to the object in the Azure Directory object will be deleted, because we delete the object afterwards.
Windows Azure Active Directory Connector
Now we can open a powershell with the loaded Windows Azure Active Directory module and can delete our objects. To delete a user, you have to use the “Remove-MSOLUser” cmdlet, and for Groups “Remove-MSOLGroup”. In my case, I can delete all Groups, so I use this one-liner (The Switch -Force will suppress the deletion confirmation!):
foreach($group in Get-MsolGroup){Remove-MsolGroup -ObjectId $group.objectID -Force}
The Groups will ultimately removed from the Azure Directory, you can recognize this via the webconsole. When the directories get synced, you can find in the oprations console, that the Groups were deleted from the metaverse:
If you don’t want to delete all Groups or users, then you can create a more effective powershell script to delete the object in the metaverse. Perhaps in a future Version, it will be easier to get some poweshell cmdlets for FIM too.
When your work is done, don’t forget to remove the Checkbox in the Object Deletion Rule.

Hope this helps!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.