One issue encountered recently is where an Office 365 tenant synchronized with the client AD uses the same domain locally which sets the UPN the same as for email. When a user departs, the account is disabled, the license removed from Office 365, and the SMTP:user@domain.com is transferred as smtp:user@domain.com to a different user as a proxy address or ‘alias’.
I discovered, however, that instead of transferring the alias correctly, Azure AD get’s stuck. While the departed user still exists and shows that no such address is still assigned to the account, DirSync throws an error that the new alias assigned to the new holder of the alias has been removed due to a conflict. But, there is no conflict. I even moved the departed user account to an OU that does not synchronize with Azure AD, and despite the departed user account being completely wiped from Azure AD, it still found a conflict.
The issue appears to occur because Azure AD Connect synchronizing with AD and Azure, cannot move the address from on account to another, while also taking care of all the other changes to the new account. At some point it just gets stuck, and the only solution I found was to remove the now conflicted alias from the new holder, re-run a delta sync, then add it back in again, and re-sync. The conflict disappeared, the new holder has the alias, and all is right with the world.
To prevent the issue from happening in the first place it’s clear that you must make these changes between sync cycles.
- Remove the address from the departed user
- If the departed user has a UPN sign-in username that matches – change the UPN in AD to something else
- Remove the address from the Active Directory – General Tab – Email address
- Synchronize (Start-ADSyncSyncCycle -PolicyType delta)
- Wait for Sync to complete (5 minutes is safe)
- Add the alias (smtp:departeduser@domain.com) to the alternate account
