WORKAROUND
The Directory Writers role does not allow the Synchronization Service to delete objects in Azure. The correct role should be Company Administrator.
Use the following script to add the application in the Company Administrator role.
# Replace <ClientId> with the Client ID of the Active Roles Azure AD Connector Application (example format: 455ad643-332g-32h7-q004-8ba89ce65ae26)
$Id = “<ClientId>”
# Prompt for Microsoft Azure AD Global Admin credentials.
# Save the supplied credentials to the $creds variable.
$creds=get-credential
# Connect to Azure AD using the credentials stored in $creds.
Connect-AzureAD -credential $creds
# Get the Principal ID of the Active Roles Azure AD Connector Application and save it to the $servicePrincipal variable
$servicePrincipal = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $Id}
# Get the required role ID from the Active Roles Azure AD Connector Application and save it to the $roleId variable
$roleId = (Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}).ObjectId
# Assign the required permissions to the Active Roles Azure AD Connector Application
Add-AzureADDirectoryRoleMember -ObjectId $roleId -RefObjectId $servicePrincipal.ObjectId
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center