Forum Discussion

VolTwins's avatar
VolTwins
Copper Contributor
Jan 25, 2024

Azure sync errors - DeletingCloudOnlyObjectNotAllowed

Hello. My problem is errors in synchronization between AD - AAD. The error type is: DeletingCloudOnlyObjectNotAllowed

 

I have already browsed threads with such a problem, but the Object GUID that is included in my case is not any group or user, so I could simply delete this Object GUID, when another synchronization is performed, the Object GUID changes every time (during each synchronization it's changing)

 

I know that if it was a user or group, you should set the "DirSyncEnabled" attribute to false and change the value to null in "ImmutableId", but as I repeat, in my case it is not any group or user

 

 

 



I'm asking for help because I don't know how to solve these synchronization problems

Best regards

  • rastok's avatar
    rastok
    Brass Contributor
    It is strange that the Object GUID keeps changing on each sync cycle and makes it difficult to correlate. Have you tried to run idfix to find any issues? You can also try to run Get-AzureADUser | Where {$_.DirSyncEnabled -eq $null} | Set-MsolUser -ImmutableId “$null” just to set all immutables to $null.
  • VolTwins 

     

    Better to locate the affected object first:

     

    Get-AzureADUser -All $true | Select-Object -Property UserPrincipalName,ObjectId,ImmutableId,DirSyncEnabled 

     

    • VolTwins's avatar
      VolTwins
      Copper Contributor

      Kidd_Ip rastok 

       

      People have been exported with the DirSyncEnabled attribute set to false:

       

      Get-AzureADUser -All $true | Select-Object -Property UserPrincipalName,ObjectId,ImmutableId,DirSyncEnabled | Where-Object { $_.DirSyncEnabled -eq $false }

       

       

      We are interested in ImmutableId, we should change these values to null for all UserPrincipalName to break communication between AD-AAD:

       

      Get-AzureADUser -All $true | Where-Object { $_.DirSyncEnabled -eq $false } | ForEach-Object { Set-AzureADUser -ObjectId $_.ObjectId -ImmutableId $null }

       

      However, after entering this command (forcing ImmutableId to be null), nothing changes and the effect is still the same as in the photo above

       

      In my case, this is not entirely possible, because this value is managed by the system / limitations of the platform itself? At least that's what I found out, but I'm not sure

       

       

Resources