Azure AD Connect V

Frequent Contributor

Having an issue with this version removing computers from Azure AD.  Seems this new version is doing a check on the workstations for the following.

1)      time valid certificate (not expired)

2)      proper Azure AD certificate, where the certificate contains the objectGuid of the on-prem AD computer object


We have Conditional access policies that target all workstations that are Hybrid joined.  When they are removed the policy kicks in and the user is unable to access Outlook, Teams, ONedrive etc....


MS Supports says the rule in the AD sync doing this check is "In from AD - Computer Join"

Using the Synchronization Rules Editor I can see the rule




I basically want the sync to delete the computer from Azure ONLY if its deleted from Local AD, as we keep our Computer OUs very clean.  Id like to know if this is possible as I do not like the fact that its doing this check and randomly deleting users computers.  The only workaround I have right now is unjoin/rejoin domain forcing a sync.  I am not sure what is causing the deleted computers to all of a sudden not have a cert etc from Azure.  All workstations are Hybrid joined via GPO and out of 300+ users this is affect random users.  ANNOYING!!

11 Replies
This seems odd. I have not seen this issue yet but most customers are not on

I’ve read through the article and it seems they (should) just delete Azure AD Devices which are actually invalid.

The devices you’ve seen getting deleted from Azure AD, are they invalid (for example, does the script report them as invalid?)

In case you have some examples I could check on my end how it looks.

getting this error when i try to run that PS1, im no POSH expert  :)

PS C:\Windows\system32> C:\Users\bdpbmain\Desktop\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1
C:\Users\bdpbmain\Desktop\Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1 : Parameter set cannot be resolved using the
specified named parameters.
+ CategoryInfo : InvalidArgument: (:) [Export-ADSyncTo...icateReport.ps1], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Export-ADSyncToolsHybridAzureADjoinCertificateReport.ps1


MS assited in disabling the rule and creating a new one that does not check the AZAD Cert Value.

 here is what they sent me.


If you do not want ADConnect to delete those devices here is a workaround you could follow, which basically change the rule for Computer Join to the one which was used on previous ADConnect versions.

  1. Disable sync scheduler by running Set-ADSyncScheduler -SyncCycleEnabled $false.
  2. Go to the Synchronization Rules Editor and look for the rule named In from AD - Computer Join 
  3. Click on Edit (clicking edit allows you to clone the rule) and then Yes
  4. Once you have the rule to Edit please make sure you add a correct Precedence and keep everything the same except on Transformations (cloudFiltered, see image below)
  1. You will need to make sure to change this part as follows:

Flow Type: Expression

Target Attribute: cloudFiltered

Source: IIF(IsNullOrEmpty([userCertificate]),True,NULL)

Merge Type: Update

  1. Important to note the Default rule In from AD needs to be disabled.
  2. Go back and enabled the sync scheduler by running Set-ADSyncScheduler -SyncCycleEnabled $true
  3. You will need to run a Full sync cycle for the changes to make effect

Keep in mind starting from this version (1.4.x.0) the rule for computer join will remain the same, so it is important you take this in consideration on future ADConnect upgrades.

@Christian Taveras The latest version is now checking for a valid Azure signed certificate. In the past, AD computer objects with ANY certificate were allowed to export to AAD. We are now removing device objects that do not belong in Azure AD. They may still have their own certificates (such as custom PKI CA certs), but these will no longer export to the cloud. You may notice that these objects show as "pending" on your Azure devices list. If they are pending, they are not fully registered and would not participate in Azure AD CA. Although the given workaround will work,  it's to your best interests to use our updated default devices sync rule instead. 

@Josh Villagomez   I get your point of view, however for us least this setting was removing valid computer accounts from AAD.  Once removed the CA policies would block the user from resources due to the Hybrid Joined requirement.  

@Christian Taveras You mean to say they were properly registered in AAD? Can you share the dsregcmd/status output of one of the affected devices? Are these Win10 devices or down-level devices? Or are they Intune managed? If they don't have valid certs, they're not validly registered hybrid devices. I'm not sure how you got it going on now, but we really need to investigate what's going on. 

@Josh Villagomez  These were valid Computer accounts in Local AD 55 of them to be exact.  Example this computer was deleted from Azure due to this.  I starred out some info for safety.


Microsoft Windows [Version 10.0.17763.503]
(c) 2018 Microsoft Corporation. All rights reserved.

U:\>DSregcmd /status

| Device State |

AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName : B*B*I*

| Device Details |

DeviceId : c99998fd-99b9-9b99-9999-99cd999f9fef

Thumbprint : 09DE9A9B999C99C99999BD9ADCD9999C927D9B99
DeviceCertificateValidity : [ 2018-07-09 12:05:33.000 UTC -- 2028-07-09 12:35:33.000 UTC ]
KeyContainerId : 9aea9949-ea9b-99ea-a9fc-99d9e9c9999
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES

| Tenant Details |

Idp :
AuthCodeUrl : TENANT ID WAS HERE/oauth2/authorize
AccessTokenUrl : TENANT ID WAS HERE/oauth2/token
MdmUrl :
MdmTouUrl :
MdmComplianceUrl :
SettingsUrl :
JoinSrvVersion : 1.0
JoinSrvUrl :
JoinSrvId :
KeySrvVersion : 1.0
KeySrvUrl :
KeySrvId :
WebAuthNSrvVersion : 1.0
WebAuthNSrvId :
DeviceManagementSrvVer : 1.0
DeviceManagementSrvUrl : TENANT ID WAS HERE/
DeviceManagementSrvId :

| User State |

NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : YES
WamDefaultAuthority : organizations
WamDefaultId :
WamDefaultGUID : {B9999999-A999-9999-9999-99D99DA99} (AzureAd)

| SSO State |

AzureAdPrt : YES
AzureAdPrtUpdateTime : 2019-09-26 19:17:47.000 UTC
AzureAdPrtExpiryTime : 2019-10-10 19:17:47.000 UTC
AzureAdPrtAuthority : TENANT ID WAS HERE
EnterprisePrt : NO
EnterprisePrtAuthority :

| Diagnostic Data |

AadRecoveryNeeded : NO
KeySignTest : PASSED

| Ngc Prerequisite Check |

IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : NO
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : none
PreReqResult : WillNotProvision




@Christian Taveras the solution provided by MSFT (where I work and am a Technical Advisor in the Sync Space) should be considered a workaround / mitigation until the issue with the new sync rule is fixed in a future hotfix, which will be manually downloadable.


Once available if you run an in-place upgrade the disabled default rule will have the "buggy" transformation modified. If you test it on a staging server (disable your new rule clone created by MSFT, then re-enable the default rule on your staging server) and find the hotfix acceptable. You have now reverted back to a default vs custom state which is always best practice.


The reason it is best practice, Microsoft routinely adds attributes which we sync to Azure AD for a given object type. We update the sync rule transformations to include the new rows (flows). Only default rules receive these new transformations so you would be missing out on new features if you remain custom, OR have to manually update all your custom rules if your organization wants to utilize these new features.

I have zero issues revert back to default i just cannot have random user computer accounts that belong to active users deleted. When will an update be released?

@Christian Taveras  Thanks for posting your dsregcmd status. It appears your Win10 is version 1809 and properly hybrid-joined. I would like to take a closer look at this because of some recent customer reports. If you don't mind, please create a new MS ticket and message the case# directly to me. We should try to get a root cause on your issue. Also, it would be good to get the summary report of the Gallery script referred to here:

I will get this going in the AM. Thank you!
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
50 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
32 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
15 Replies
Dev channel update to 80.0.355.1 is live
josh_bodner in Discussions on
67 Replies