\n
![\"Azure](\"http:\/\/hosebei.wordpress.com\/wp-content\/uploads\/2014\/01\/fim_azure-directory01.png\")
<\/a><\/p>\nSo, this means, you have to remove the object from the FIM Metaverse. Normally, you delete an object from Active Directory FIM recognize that the object is missing through the missing connector, and within Standard configuration, the object will be deleted in the Metaverse and when the next sync is scheduled also in the Windows Azure Directory. But in this case, the objects are still existing in Active Directory, but I will have to removed them from the metaverse. This means, we have to delete the connector from the object. You can achieve this through the gui. But if you have seen my list, and I can imagine that others will have longer lists to delete, you want to do this with Powershell. Well, there exist only a few cmdlets, and they are not very helpful: http:\/\/technet.microsoft.com\/en-us\/library\/ff394179.aspx<\/p>\n So if you have to delete a huge amount of objects, and you don’t want to do this manually, we can’t use FIM for simplifying this. But you can then use this way to delete the object automatically, we achieve this, when we make changes to the FIM configuration and delete the object in Windows Azure Directory. Hope this helps!<\/p>\n Martin<\/p>\n","protected":false},"excerpt":{"rendered":" In one of my last blog-post I described how to configure the initial synchronization of an Active Directory Service with Windows Azure Directory (http:\/\/blog.hosebei.ch\/2014\/01\/23\/azure-directory-sync-initial-configuration\/). But what if you have already synced your Domain, and you made your configuration afterwards? Yes, unfortunately, the Accounts in the Azure Directory will not be deleted. This is caused of […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[],"class_list":["post-1306","post","type-post","status-publish","format-standard","hentry","category-general"],"_links":{"self":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts\/1306","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1306"}],"version-history":[{"count":0,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=\/wp\/v2\/posts\/1306\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1306"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1306"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.hosebei.ch\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1306"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nNavigate to “Metaverse Search” and click on “Add Clause”:
\n<\/a>
\nBe sure that you choose Displayname as Attribute, and then configure your search, in my case Show all objects starting with svc:
\n<\/a>
\nDouble click an entry, and open the tab connectors:
\n<\/a>
\nActivate the line with the “Active Directory Connector” Management Agent and click on “Disconnect…”:
\n<\/a>
\nIn the disconnect object accept question, choose “Disconnector (Default)” to remove the connector. Explicit Disconnector will lock the object to be a connector again.
\n<\/a>
\nYou can then rerun your search, and the specific account will not be shown anymore. And after a sync, the object will also be be removed from the azure Directory:
\n<\/a>
\nFor more Information about deprovisioning I would recommend this Blog Post on TechNet: http:\/\/social.technet.microsoft.com\/wiki\/contents\/articles\/1270.understanding-deprovisioning-in-fim.aspx<\/p>\n
\nFirst you have to navigate to “Metaverse Designer” and select the object type you want to delete, in my case Groups, and click on “Configure Object Deletion Rule”:
\n<\/a>
\nIn the “Configure Object Deletion Rule” select the Checkbox besides “Windows Azure Active Directory Connector”. FIM will delete the object in the metaverse, because the connector to the object in the Azure Directory object will be deleted, because we delete the object afterwards.
\n<\/a>
\nNow we can open a powershell with the loaded Windows Azure Active Directory module and can delete our objects. To delete a user, you have to use the “Remove-MSOLUser” cmdlet, and for Groups “Remove-MSOLGroup”. In my case, I can delete all Groups, so I use this one-liner (The Switch -Force will suppress the deletion confirmation!):
\nforeach($group in Get-MsolGroup){Remove-MsolGroup -ObjectId $group.objectID -Force}<\/code>
\nThe Groups will ultimately removed from the Azure Directory, you can recognize this via the webconsole. When the directories get synced, you can find in the oprations console, that the Groups were deleted from the metaverse:
\n<\/a>
\nIf you don’t want to delete all Groups or users, then you can create a more effective powershell script to delete the object in the metaverse. Perhaps in a future Version, it will be easier to get some poweshell cmdlets for FIM too.
\nWhen your work is done, don’t forget to remove the Checkbox in the Object Deletion Rule.<\/p>\n