AAD Connect – User Hard Match

August 15, 2022 Faeem Azure, AZURE, Azure Powershell 0

ISSUE:

The user “User 1” with UPN “user@domain.com” was showing as In Cloud on the Office 365 portal but there was another duplicate user “User 1” with UPN “user@domain.onmicrosoft.com” which was showing as Synced with AD on the Office 365 portal.

WHY THIS HAPPENS:

When syncing a user from on-premise to the cloud, there are certain attributes that need to match in Azure AD/Office 365 in order for the sync to make a correct connection mapping. When those attributes do not match, Azure creates a new account.

ATTRIBUTES:

First Name

Last Name

UPN

RESOLUTION:

– Move the user “User 1” to the non-syncing OU “Lost and Found” on AD.

– Run the synchronization cycle using Start-ADSyncSyncCycle -PolicyType Delta command in elevated Windows Powershell.

– The user “User 1” with UPN “user@domain.onmicrosoft.com” moved to the deleted folder on the Office 365 portal.

Run the following PowerShell commands on the sync server.

– Run Install-Module MsOnline command in elevated Windows PowerShell. (If you do not have the module installed)

– Run connect-msolservice command in elevated Windows PowerShell.

– Run remove-msoluser -userprincipalname “user@domain.onmicrosoft.com” -removefromrecyclebin -force command in elevated Windows PowerShell.

– The user “User 1” with UPN “user@domain.onmicrosoft.com” will be removed from the deleted folder on the Office 365 portal.

– Run Get-MsolUser -UserPrincipalName “user@domain.com” | FL command in elevated Windows PowerShell.

– Found that the immutable ID was null.

– Run ldifde -f export.txt -r “(Userprincipalname=user@domain.com)” -l “objectGuid, userPrincipalName” command in elevated Command Prompt on the AD server.

– Run ldifde -f export.txt -r “(Userprincipalname=user@domain.com)” -l “objectGuid, userPrincipalName” | export-csv c:\ command in elevated Command Prompt to collect the Object GUID via csv or txt.

– Run Set-MsolUser -UserPrincipalName user@domain.com -ImmutableID “ZmPI2YZU0YcKFiNS98Q==” command in elevated Windows PowerShell to stamp the immutable ID on Azure.

– Moved the user “User 1” to the syncing OU.

– Run the synchronization cycle using Start-ADSyncSyncCycle -PolicyType Delta command in elevated Windows PowerShell on the sync server.

– The user “User 1” with UPN “user@domain.com” gets synced successfully.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.