Windows Azure Directory – Remove no longer synced objects

In one of my last blog-post I described how to configure the initial synchronization of an Active Directory Service with Windows Azure Directory (https://blog.hosebei.ch/2014/01/23/azure-directory-sync-initial-configuration/). But what if you have already synced your Domain, and you made your configuration afterwards? Yes, unfortunately, the Accounts in the Azure Directory will not be deleted. This is caused of the Forefront Identity Manager Metaverse. But we come to this later on.

First, if you try to delete an account through the web console, you are not able to:

So, this means, you have to remove the object from the FIM Metaverse. Normally, you delete an object from Active Directory FIM recognize that the object is missing through the missing connector, and within Standard configuration, the object will be deleted in the Metaverse and when the next sync is scheduled also in the Windows Azure Directory. But in this case, the objects are still existing in Active Directory, but I will have to removed them from the metaverse. This means, we have to delete the connector from the object. You can achieve this through the gui.
Navigate to “Metaverse Search” and click on “Add Clause”:

Be sure that you choose Displayname as Attribute, and then configure your search, in my case Show all objects starting with svc:

Double click an entry, and open the tab connectors:

Activate the line with the “Active Directory Connector” Management Agent and click on “Disconnect…”:

In the disconnect object accept question, choose “Disconnector (Default)” to remove the connector. Explicit Disconnector will lock the object to be a connector again.

You can then rerun your search, and the specific account will not be shown anymore. And after a sync, the object will also be be removed from the azure Directory:

For more Information about deprovisioning I would recommend this Blog Post on TechNet: http://social.technet.microsoft.com/wiki/contents/articles/1270.understanding-deprovisioning-in-fim.aspx

But if you have seen my list, and I can imagine that others will have longer lists to delete, you want to do this with Powershell. Well, there exist only a few cmdlets, and they are not very helpful: http://technet.microsoft.com/en-us/library/ff394179.aspx

So if you have to delete a huge amount of objects, and you don’t want to do this manually, we can’t use FIM for simplifying this. But you can then use this way to delete the object automatically, we achieve this, when we make changes to the FIM configuration and delete the object in Windows Azure Directory.
First you have to navigate to “Metaverse Designer” and select the object type you want to delete, in my case Groups, and click on “Configure Object Deletion Rule”:

In the “Configure Object Deletion Rule” select the Checkbox besides “Windows Azure Active Directory Connector”. FIM will delete the object in the metaverse, because the connector to the object in the Azure Directory object will be deleted, because we delete the object afterwards.

Now we can open a powershell with the loaded Windows Azure Active Directory module and can delete our objects. To delete a user, you have to use the “Remove-MSOLUser” cmdlet, and for Groups “Remove-MSOLGroup”. In my case, I can delete all Groups, so I use this one-liner (The Switch -Force will suppress the deletion confirmation!):
foreach($group in Get-MsolGroup){Remove-MsolGroup -ObjectId $group.objectID -Force}
The Groups will ultimately removed from the Azure Directory, you can recognize this via the webconsole. When the directories get synced, you can find in the oprations console, that the Groups were deleted from the metaverse:

If you don’t want to delete all Groups or users, then you can create a more effective powershell script to delete the object in the metaverse. Perhaps in a future Version, it will be easier to get some poweshell cmdlets for FIM too.
When your work is done, don’t forget to remove the Checkbox in the Object Deletion Rule.