Forum Discussion
Need help with removing an alias synced from on-prem AD
Hi All,
Pre-history.
An organization has few facilities and their respective domain names.
There is a user (let's call it John Doe) who used to work in facility a and had an email address mailto:email address removed for privacy reasons.
Then he started to work in two facilities and got a new email address mailto:email address removed for privacy reasons.
At some point the organization decided to move from on-prem Exchange to Microsoft Exchange Online with users sync from on-prem AD.
Then an organization decided to move John Doe permanently from facility A to facility B and deactivate his mailto:email address removed for privacy reasons address. For that mailto:email address removed for privacy reasons was renamed to mailto:email address removed for privacy reasons and mailto:email address removed for privacy reasons was renamed to email address removed for privacy reasons.
I'm getting an error in Microsoft 365 regarding directory sync error.
The user account that is disabled in on-prem AD and deactivated in Microsoft 3565 has an alias that conflicts with a a primary address of another account that is active in on-prem AD and active in Microsoft 365.
In my case an alias of disabled\deactivated account is mailto:email address removed for privacy reasons and a primary address of active account is mailto:email address removed for privacy reasons. Those are two different account (both synced from on-prem AD)
The problem is that alias cannot be found in AD attributes of the disabled AD account.
mail: mailto:email address removed for privacy reasons
proxyAdresses: SMTP:mailto:email address removed for privacy reasons
sAMAccountName: john.disabled
userPrincipalName: mailto:john.disabled@company.local
I checked user's AD attributes in ADSI Edit but see the same.
Please advise where else I should check.
2 Replies
Try below:
1. Check Exchange Online: Sometimes, attributes in Exchange Online might not match those in on-prem AD. Use the Exchange Online PowerShell to check the email addresses and aliases for both accounts. You can use the Get-Mailbox and Get-MailUser cmdlets to verify this.
Get-Mailbox -Identity "john.disabled@company.local" | Select-Object EmailAddresses
Get-Mailbox -Identity "john.active@company.local" | Select-Object EmailAddresses
2. Azure AD Connect: Ensure that Azure AD Connect is not filtering out any attributes. Sometimes, custom sync rules can cause attributes to be excluded. Check the synchronization rules in the Azure AD Connect tool.
3. Attribute Cleanup: Even if the alias isn’t visible in ADSI Edit, it might still be lingering in the metaverse or connector space in Azure AD Connect. Use the Synchronization Service Manager to inspect and clean up any lingering attributes.
4. Soft Deletion: If the account was soft-deleted and then re-created, it might still have remnants in the Azure AD recycle bin. Use the Get-MsolUser cmdlet to check for any soft-deleted users.
Get-MsolUser -UserPrincipalName "john.disabled@company.local" -ReturnDeletedUsers
5. Manual Attribute Update: If all else fails, you might need to manually update the attributes in Azure AD. This can be done using the Azure AD PowerShell module.
Set-AzureADUser -ObjectId "user-object-id" -OtherMails @("new.alias@company.local")
Hi Kidd_Ip
Thanks for your reply.
I think this all started happen because at some point in the past the AD account was renamed and I noticed that the whole domain was removed from Microsoft 365.
I would delete that AD object with pleasure but I know it will be reflected in Microsoft 365 and that account will be deleted there as well.
I'm considering exporting emails, deleting disabled AD accounts that should delete Microsoft 365 accounts. Then I will create a cloud sourced account and import back the exported emails.
