As many Office 365 Admins know, when you need to remove someone from Office 365 when using Directory Synchronization, in order to synchronize all your AD objects into the cloud, you have probably found that the ONLY way to remove the cloud user is to remove the AD user. BUT many times this is not possible, as the AD user still has a role to fulfill or being used, for example, as a Service Account. In this case “what DO you DO?”
Since the new Directory Synchronization provides “scoping” capabilities, which means ONLY certain domains/OU’s are to be synchronized while all other AD objects are not. This “scoping” feature is key to maintaining your Active Directory user objects while removing them for your Office 365 tenant.
In a nutshell, you would use the following article, which explains HOW to setup Directory Synchronization “scoping”, which will take an OU out of synchronization, which is where all your AD account who no longer need to be in Office 365 will be placed. DirSync will no longer finds these accounts in your AD, due to not looking into that OU (i.e. Scoping) and issue a Delete request into Office 365 to remove these users.
- Overview of Directory Synchronization Filtering/Scoping:
- Great additional article on Directory Synchronization Filtering and a discussion on the Soft-Delete feature, allowing you to recover users and their MBXs quickly and easily.
Note – Directory Synchronization scoping is a relatively new feature and one that can be used when needing to maintain AD users while removing them from Office 365. Directory Synchronization is the only way to manage this scenario, as Directory Synchronization maintains management of these user objects, which requires that the user object (objects) must be managed via onsite Active Directory. Be Careful when using Directory Synchronization Scoping, as the Directory Synchronization delete directive WILL cause these online user objects to be deleted. If you have done Directory Synchronization scoping in error, you can easily use the “Soft-Delete” feature in Office 365 to get these accounts pulled from the “deleted items” hidden folder in Office 365 AD and bring them back into action.