Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.
In this part of the series, we start looking at Azure AD Connect in-depth.
Why look at the Export Deletion Threshold
Azure AD Connect is responsible for synchronizing objects and their attributes. It uses rules to act in a certain way, based on certain input to guarantee certain output. In some cases, the straightforwardness of the rules may result in unwanted scenarios, such as deletion of all objects from Azure AD.
To circumvent this last situation, Microsoft has built in a deletion threshold into Azure AD Connect. When the threshold is reached while running an Export operation (writing to a connected directory), Azure AD Connect stops synchronizing to prevent further harm.
Now, there is a sweet spot to Azure AD Connect’s export deletion threshold:
- You don’t want to set the deletion threshold too low. Organizations rely on Azure AD Connect for their Identity and Access Management (IAM) processes. When synchronization stops, the process stops. Onboarding, offboarding, group membership changes; they all stop. You might hit the threshold often, when it is set too low.
- You don’t want to set the deletion threshold too high, either. If something does go wrong, you don’t want to lose most of the objects before finding out.
By default, Azure AD Connect’s object deletion threshold is set it at 500 objects.
Getting ready
To change the Export Deletion Threshold, you’ll need to have local privileges on each Windows Server running Azure AD Connect. You’ll need to be member of the local ADSyncAdmins group, or a member of the custom local group you may have selected as the Azure AD Connect Administrators group, during the installation of Azure AD Connect:
On the Azure AD side of things, you’ll need an account that has the Global administrator role assigned.
Additionally, make sure the Windows PowerShell Module for Active Directory is installed on each of the Azure AD Connect installations, to be able to run the below scripts.
Properly managing the Export Deletion Threshold
I feel there are three aspects to properly managing Azure AD Connect’s Export Deletion Threshold:
Set the threshold at 10% of your objects
A 500 object threshold does not make much sense in an organization with 50 people. The same threshold also doesn’t make sense in an organization with 900,000 people.
As a rule of thumb I configure Azure AD Connect’s Export Deletion Threshold at 10% of the number of median objects in Active Directory.
With default rules, Azure AD Connect synchronizes user objects, inetorgperson objects, contacts, groups and devices. User objects are the main concern for most organizations, but losing groups and devices might also hurt processes. Taking the number of objects in each of these three object types into consideration, we commonly observe that organizations have more groups than users (although a lot of groups will be empty) and more users than devices. This means 10% of your person objects in the metaverse (user objects and/or inetorgperson objects) is a safe value, but your needs may vary.
The below script provides information on the number of users, groups and devices within scope of your Azure AD Connect installation:
$c = Get-ADSyncConnector –Name domain.tld
$ous = ($c).Partitions.ConnectorPartitionScope.ContainerInclusionList
$ADUsers = @()
$ADGroups = @()
$ADComputers = @()
ForEach ($ou in $ous){
$ADUsers += (Get-ADUser -SearchBase $ou -Filter *)
}
ForEach ($ou in $ous){
$ADGroups += (Get-ADGroup -SearchBase $ou -Filter *)
}
ForEach ($ou in $ous){
$ADComputers += (Get-ADComputer -SearchBase $ou -Filter *)
}
Write-Host
Write-Host “Total number of users is” $ADUsers.count
Write-Host “Total number of groups is” $ADGroups.count
Write-Host “Total number of devices is” $ADComputers.count
Set it once for all your Azure AD Connect installations
When you have Staging Mode Azure AD Connect installations, you only need to configure the Export Deletion Threshold on one of your Azure AD Connect installations.
The Export Deletion Threshold is a per-Azure AD tenant setting. This is good news, as a Staging Mode Azure AD Connect installation gains the information automatically. It doesn’t perform exports today, but it could, one day, when it’s no longer in Staging Mode, but actively synchronizing.
Monitor threshold-related incidents
While it would seem advantageous to disable the Export Deletion Threshold in the actively synchronizing Azure AD Connect when making big changes, this defeats the purpose of the feature.
Include a step in your Azure AD Connect upgrade and management procedures to perform a synchronization cycle. The documentation on Azure AD Connect conveys when a Full Synchronization cycle needs to happen and when the normal delta synchronization cycles suffice.
Monitor for threshold-related incidents, in any of the below four ways:
1. Event log
Azure AD Connect writes to the event log on Windows Servers on which it is installed. You will see, in chronological order:
- A warning event with Event-ID 116 and source Directory Synchronization in the Application event log, showing you the current Export Deletion Threshold in relation to the amount of object deletions it is trying to export:
- An error event with Event-ID 906 and source Directory Synchronization in the Application event log with specific error code 95:
- An error event with Event-ID 6950 and source ADSync. in the Application event log, reiterating that the number of deletes exceed the deletion threshold count with error code 0x80231366 in several code blocks and files within Azure AD Connect:
2. Error in Azure AD Connect Synchronization Service
An export profile would show stopped-deletion-threshold-exceeded status in Azure AD Connect’s Synchronization Service Manager interface ().
3. Azure AD Connect Health
for organizations with Azure AD Premium licenses, Azure AD Connect Health shows a warning on the Alerts blade for Azure Active Directory Connect Servers in the Azure Portal:
Export to Azure Active Directory failed.
Issue
The export operation to Azure Active Directory Connector has failed. As a result, some objects may not be exported successfully to Azure Active Directory.
Fix
Please investigate the event log errors of export operation for further details.
4. Email
Eventually, an alert e-mail is sent to the technical contact for the Azure AD tenant, titled Servername: Export to Azure Active Directory failed – You have an important alert from Azure Active Directory, sent from azure-noreply@microsoft.com:
How to view the Threshold Configuration
To view the Export Deletion Threshold configuration on an Azure AD Connect installation, run the following line of Windows PowerShell on an elevated prompt:
Get-ADSyncExportDeletionThreshold
How to disable the Export Deletion Threshold
To disable the Export Deletion Threshold on an Azure AD Connect installation, run the following line of Windows PowerShell on an elevated prompt:
Disable-ADSyncExportDeletionThreshold
Provide the credentials of an Azure AD account with the Global Administrator role assigned to complete the command.
How to enable and set the Deletion Threshold
To set the number of objects for the Export Deletion Threshold on an Azure AD Connect installation, perform these steps:
Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500
Provide the credentials of an Azure AD account with the Global Administrator role assigned to complete the command.
How to overcome hitting the Deletion Threshold
Your changes are desired
When you’re notified or experience the Export Deletion threshold, and the deletes are desired, you can perform the above three actions as parts of the steps below:
- Sign in to the actively synchronizing Azure AD Connect installation.
- Open an elevated Windows PowerShell window.
- View the Export Deletion Threshold value.
- (Disable the Export Deletion Threshold or configure the Export Deletion Threshold to a value that is higher than the number of deletions to be exported.
- Perform a synchronization cycle using the following line of Windows PowerShell
Start-ADSyncSyncCycle
- Enable and set the Export Deletion Threshold when you’ve disabled the Export Deletion Threshold previously, or set it back to the number it was configured to, when you’ve reconfigured it to a higher number in the previous steps.
- Close the Windows PowerShell window.
- Sign out.
Set the Export Deletion Threshold to the same value as set previously, or use the information on the situation as a lesson-learned and increase or decrease the threshold value accordingly.
When the deletions are a result of a configuration change, perform the same configuration change on the Staging Mode Azure AD Connect installation(s), unless the configuration change is one that is stored in Azure AD.
Your changes are undesired
When you’re notified or experience the Export Deletion threshold, and the deletes are undesired, roll back the configuration changes, or switch the actively synchronizing Azure AD Connect installation with a Staging Mode installation that still has the previous configuration.
Concluding
Azure AD Connect’s Export Deletion Threshold is a truly cool feature that might save your behind some day.
Don’t disable it. Tweak it. For many of the blogposts to come in this series, you’ll be glad you did.
Further reading
Azure AD Connect sync: Prevent accidental deletes
The post HOW TO: Properly set and manage Azure AD Connect’s Export Deletion Threshold appeared first on The things that are better left unspoken.