AD Synced Users still exist in Entra even after Scope Change

AD Synced Users still exist in Entra even after Scope Change #

Written 07/10/25
PROMPT: If you adjust the scope of Entra Connect Sync from a specific OU to another OU (or you mis-configured the scope of AD Sync to the entire domain, then corrected it). You might notice that the users who are no longer scoped are still present in your Entra tenant. If this is the case, you have most likely hit the ExportDeletionThreshold.

Resources: #

MS Learn on ExportDeletionThreshold
MS Learn on Entra Connect health alert types

Prerequisites: #

  • You have already set up Entra Connect for your domain.
  • You are using the Connect Sync agent.
  • You know the service account used by Entra Connect.

Steps: #

  1. Open Entra Admin Center and Navigate to Identity -> Hybrid Management -> Microsoft Entra Connect -> Connect Sync -> scroll to bottom -> Microsoft Entra Connect Health
  2. On the Health page, go to Sync Services -> click on the tenant name (e.g. domain.onmicrosoft.com) -> click on the Sync agent server -> Click on Active -> Click on the Alert.
  3. If the error states “The export operation to Microsoft Entra ID has failed. There were more objects to be deleted than the configured threshold. As a result, no objects were exported.” Then we have confirmed that this is our issue.
  4. Log onto your server running Entra Connect Sync and open PowerShell.
  5. Run the following command, where admin@domain.com is your Admin upn: Disable-ADSyncExportDeletionThreshold -AADUserName admin@domain.com
  6. Login as the Admin when prompted.
  7. Once that process is completed, we can now run a full sync with the following command: Start-ADSyncSyncCycle -PolicyType Initial
  8. Wait some time and check Entra; you should now only see the correctly scoped hybrid users. We can now re-enable the threshold at the default value, 500. Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500 -AADUserName admin@domain.com