Microsoft Azure Active Directory Connect (AAD Connect) is a tool that synchronizes user accounts and other objects from AD to Azure AD, allowing single sign-on (SSO) to cloud-based applications. However, sometimes while using AD Connect, users may encounter an error message such as “DeletingCloudOnlyObjectNotAllowed” or “Error 114“.
Detail of error.
Error in Synchronization Server Manager.
This technical article will explain the root cause of these error messages and how to resolve them.
Error Message Explanation
The error message “DeletingCloudOnlyObjectNotAllowed” or “Error 114” typically occurs when AD Connect tries to export an object to Azure AD, but the DirSyncEnabled status is set to “False“. In other words, AD Connect is attempting to delete a restored user or object, which is usually caused by moving a user to an un-synced organizational unit (OU) or deleting an object on-premises and then restoring it.
Finding Affected Objects
The easiest way to identify the affected users or objects is to look for accounts in Azure AD that have the ImmutableID value published and the DirSyncEnabled status set to False.
To export a list of all such objects, you can use the following command in PowerShell:
Get-AzureADUser -All $true | Select-Object -Property UserPrincipalName,ObjectId,ImmutableId,DirSyncEnabled | Export-Csv -Path C:\temp\AAD-AllUsers.Csv -NoTypeInformation
This command exports a CSV file to the specified path, containing the UserPrincipalName, ObjectId, ImmutableId, and DirSyncEnabled properties of all Azure AD users. Once the file is exported, you can search the CSV file for users with the DirSyncEnabled status set to False and ImmutableID value published.
Fixing the Issue
After identifying the affected users or objects, the next step is to fix the issue.
To do so, you need to set the ImmutableID value to null and perform a Delta sync. ImmutableId is that sourceAnchor with Old Value in Synchronization Server Manager
Get-MsolUser -all | Where-Object {$_.ImmutableId -eq “xxxxxxxxxxxxxx“} | select userprincipalname
The ImmutableID attribute is used to link the on-premises AD user with its corresponding Azure AD user.
Set-MsolUser -UserPrincipalName <UPN> -ImmutableId “$null”
By setting the value to null, you break the link between the two objects, allowing AD Connect to create a new Azure AD object during the next sync cycle.
Or, you can force AAD Connect sync immediately:
Start-ADSyncSyncCycle -PolicyType Delta
Conclusion
In summary, the error message “DeletingCloudOnlyObjectNotAllowed” or “Error 114” occurs when AD Connect tries to export an object to Azure AD, but the DirSyncEnabled status is set to “False“.
To identify the affected users or objects, you can export a list of all Azure AD users with the ImmutableID value published and the DirSyncEnabled status set to False. Once you have identified the affected objects, you can set the ImmutableID value to null and perform a Delta sync to fix the issue.