Azure AD Connect - Fixing the Sync

Azure AD Connect – Fixing the Sync

Windows Active Directory to Azure Active Directory generally works pretty well but there are times when the sync generates a new Azure AD user instead of linking to an existing account in Azure. This generally happens when you’re onboarding a client environment to Azure where they already have a number of accounts in MS 365 that are in use, and now need to be directly linked to the on-premises Active Directory.

Typically I use the EmailAddress (Mail) attribute to cross-link the accounts.

Example:

Azure AD user: Smiles J. McDuff

Azure AD email: smiley@mydomain.com, sjmcduff@mydomain.onmicrosoft.com

In AD I then create the user –

AD User: Smiles McDuff

SamAccountName: sjmcduff

Set Email Address: smiley@mydomain.com

When I do an Azure AD Connect Sync the new AD user should match to the Azure AD user and overwrite the user and attributes to that based in Active Directory.

Sometimes that doesn’t happen, such as making a typo with the email address, and instead of cross-linking the accounts between AD and AAD, a new user account is created in AAD. Now things get tricky, because no matter how many times you delete the incorrect account in Azure AD, the next sync will just recreate it.

The solution is to capture the ObjectGUID attribute for the user in Active Directory and set that as the ImmutableID for the user in Azure.

Command:

Get-ADUser sjmcduff | select-object userPrincipalName, objectGuid

Result:

UserPrincipleName : sjmcduff@mywindowsdomain.com

objectGuid : b316d357-25fd-4912-9896-faf007a16289

Now convert that Guid to something we can use as an ImmutableID –

[Convert]::ToBase64String([guid]::New(“b316d357-25fd-4912-9896-faf007a16289”).ToByteArray())

Result:

V9MWs/0lEkmYlvrwB6FiiQ==

This is our new ImmutableID value for the Azure AD user account.

connect-msolservice

Get-MsolUser -UserPrincipalName “sjmcduff@mydomain.onmicrosoft.com” | select-object userPrincipalName, ImmutableId

Result:

UserPrincipalName : sjmcduff@mydomain.onmicrosoft.com
ImmutableId : [Confirm ImmutableID is blank -if not record it in your notes]

Command:

Set-MsolUser -UserPrincipalName “sjmcduff@mydomain.onmicrosoft.com” -ImmutableId “V9MWs/0lEkmYlvrwB6FiiQ==”

Comand:

Get-MsolUser -UserPrincipalName “sjmcduff@mydomain.onmicrosoft.com” | fl userPrincipalName,ImmutableId

Confirm ImmutableID matches

Now when you sync, the accounts should pair up properly.

By admin|2023-05-17T12:07:40-08:00May 17th, 2023|Active Directory, Azure, Microsoft Office 365, Microsoft Server|Comments Off

About the Author: admin

An IT Specialist with humble beginnings at an ISP here in BC in 1996. Since then WiReDWoLF has expanded his knowledge and expertise in many areas of the IT field and is proficient with networking, applications, servers, and general application of all of the above.