Removing O365 Accounts WITHOUT Having to Remove AD Accounts

Posted on Updated on

DirSync-Scoping  As many Office 365 Admins know, when you need to remove someone from Office 365 when using Directory Synchronization, in order to synchronize all your AD objects into the cloud, you have probably found that the ONLY way to remove the cloud user is to remove the AD user.  BUT many times this is not possible, as the AD user still has a role to fulfill or being used, for example, as a Service Account.  In this case “what DO you DO?”

Since the new Directory Synchronization provides “scoping” capabilities, which means ONLY certain domains/OU’s are to be synchronized while all other AD objects are not. This “scoping” feature is key to maintaining your Active Directory user objects while removing them for your Office 365 tenant.

In a nutshell, you would use the following article, which explains HOW to setup Directory Synchronization “scoping”, which will take an OU out of synchronization, which is where all your AD account who no longer need to be in Office 365 will be placed.  DirSync will no longer finds these accounts in your AD, due to not looking into that OU (i.e. Scoping) and issue a Delete request into Office 365 to remove these users.

Resources

  1. Overview of Directory Synchronization Filtering/Scoping:
    1. http://technet.microsoft.com/en-us/library/jj710171.aspx
    2. http://blogs.technet.com/b/educloud/archive/2012/08/10/user-soft-delete-and-dirsync-filtering-enabled.aspx
      1. Great additional article on Directory Synchronization Filtering and a discussion on the Soft-Delete feature, allowing you to recover users and their MBXs quickly and easily.

Note – Directory Synchronization scoping is a relatively new feature and one that can be used when needing to maintain AD users while removing them from Office 365.  Directory Synchronization is the only way to manage this scenario, as Directory Synchronization maintains management of these user objects, which requires that the user object (objects) must be managed via onsite Active Directory.  Be Careful when using Directory Synchronization Scoping, as the Directory Synchronization delete directive WILL cause these online user objects to be deleted.  If you have done Directory Synchronization scoping in error, you can easily use the “Soft-Delete” feature in Office 365 to get these accounts pulled from the “deleted items” hidden folder in Office 365 AD and bring them back into action.

Whatcha thinkin?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s