Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-4899: How to delete an "orphaned" synced account from Office 365

Centrify Identity Service, App Edition ,  

7 March,17 at 12:03 AM

Applies to: Centrify Identity Service



Question:



If a User is disabled, or deleted in source directory (typically Active Directory), but de-provisioning rules are not configured to delete the User from Office 365 when deleted or disabled from source directory, then the User object will be orphaned in Office 365.
 
Scenario 1-
Most common scenario to create this situation is:

1. User is disabled in source directory, prompting a de-provision event to remove the license in Office 365.
2. User is later deleted, but the de-provisioning rule to delete the user when deleted from source directory does not take effect. This is because, at this time, Centrify does not sync any changes for disabled Users, including delete events.


     User-added image


Scenario 2-
Another, less common scenario that this could occur in, is a failed migration, creating split mailboxes, and the mailbox or user needs to be deleted to re-provision correctly. This will manifest in such a way that the end User is constantly prompted with a popup in Outlook saying, "The Microsoft Exchange administrator has made a change that requires you to quit and restart Outlook"


    User-added image


In both cases: How can an Administrator delete the Federated user after this occurs?



Answer:



The commands in this KB are found in the following Microsoft documentation, provided as a courtesy, and should only be used by an Administrator familiar with remote powershell with Azure Active Directory. 

Remove-MsolUser 
https://docs.microsoft.com/en-us/powershell/msonline/v1/Remove-MsolUser

Remove-MsolGroup
https://docs.microsoft.com/en-us/powershell/msonline/v1/remove-msolgroup


1. To remove the User, an Administrator should first connect to Azure Active Directory using remote powershell. Instructions can be found here, if needed (provided as a courtesy).
 
2a.  Next, an Administrator will need to run the following two commands. One to remove the user, and the next to flush from the recyclebin. 
  • Remove-MsolUser -UserPrincipalName <userprincipalname> 
  • Remove-MsolUser -UserPrincipalName <userprincipalname> -RemoveFromRecycleBin 
       (Replace <UserPrincipalName> with the actual UPN, e.g. alias@tenant.onmicrosoft.com )


2b. The following command can be used to remove Office 365 Groups 
  • Get-MsolGroup -SearchString "GroupName" | Remove-MsolGroup



 For additional information not covered in this guide or troubleshooting assistance, please review Centrify Online Help or visit the Customer Support Portal at https://www.centrify.com/support/customer-support-portal.
 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.