EntraLab

Resolve ‘DeletingCloudOnlyObjectNotAllowed’ Sync error

·

Dan

We will be looking at multiple reasons why you may run into ‘DeletingCloudOnlyObjectNotAllowed’ sync error in Entra connect sync health and how to resolve this sync error.

Symptoms

Error in Microsoft Entra ID

DeletingCloudOnlyObjectNotAllowed error visible in Entra ID

You might receive emails about sync error via the Entra connect health. This then can be checked under Microsoft Entra ID > Hybrid management > Entra connect > Entra connect sync > Entra connect health > Sync errors.

Error in Entra connect server

If you look at synchronization services tool in the Entra connect server (AAD connect server) there could be errors popping up in the export or import cycles.

Synchronization services manager showing export cycle with one error.
DeletingCloudOnlyObjectNotAllowed error in the export sync cycle in Entra connect.

Cause

I have seen the DeletingCloudOnlyObjectNotAllowed showing up in more than one scenario. This implies the cause can be different based on a recent change you might have made.

Error cause displayed in Entra connect showing that Microsoft Entra Connect is trying to delete a restored user or other object.

The most common scenario leading to this sync error is when you remove a user from syncing OU and you restore the user in Entra ID from deleted users list before Entra connect sync runs a sync cycle. When you restore this user, it will be restored as a cloud only user. When Entra connect tries to delete this user, it will not be able to compete this operation as it is a cloud only user at this point. Entra connect cannot make changes on objects where DirSyncEnabled is set to False. You can also find more possible causes in the Microsoft Learn article.

Resolution: Fixing the sync error ‘DeletingCloudOnlyObjectNotAllowed’

Step 1: Identifying the affected user (or object)

Depending where you see the error the affected user or group can be identified using the sync error.

If the error is in the Entra synchronization services tool on your server, you can click on the export error (click on CN={}) and it will bring up a screen showing the affected object’s details.

You can identify the affected user account using the userPrincipalName or displayName or any other value you see in the error details.

If the error can be seen in Entra ID connect health sync errors section, you can find the details of the affected object by clicking on the error.

object failed synchronization error details in Entra ID admin center
Navigate to Microsoft Entra ID > Hybrid management > Entra connect > Entra connect sync > Entra connect health > Sync errors > Click on the error to see the error details.

Step2: Nulling the immutableID (source Anchor) of the cloud user

Now that you have identified the affected user object, we can work towards resolving this sync conflict.

Alternatively, if you don’t want the object in cloud, you may also simply hard delete the conflicting user object from cloud to clear the sync error.

We will follow steps similar to hard-matching to null/remove the immutableID of the affected user object.

  • Install the Microsoft Graph module if you haven’t already.
Install-Module Microsoft.Graph
  • Connect to Entra ID using the Module and consent to permission
Connect-MgGraph -Scopes "User.ReadWrite.All" , "Domain.ReadWrite.All", "Directory.AccessAsUser.All"
  • View the user’s current ImmutbaleID (source Anchor) value. 
Get-MgUser -UserId <UPN or objectID of the user> -Property OnPremisesImmutableId,UserPrincipalName,Id | Format-List UserPrincipalName,OnPremisesImmutableId,ID
Powershell commands to view user's current source anchor value
It is better to use the user principal name(UPN) of the affected cloud only user. The userId can take either user principal name or objectID. Please don’t confuse ObjectGUID with ObjectID.
  • Null the immutableID of the user
Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/Users/<UPN of the user>" -Body @{OnPremisesImmutableId = $null}
power shell output after removing the immutableID of the user
  • Now, run a full or delta sync to clear the sync error. The below command must be run on your Entra connect server. 
# Delta sync command
Start-ADSyncSyncCycle -PolicyType Delta
 # Full sync command
Start-ADSyncSyncCycle -PolicyType Initial

Please feel free to leave a comment if you have questions on above steps or if you run into the error DeletingCloudOnlyObjectNotAllowed but under a different scenario not described in the article.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *