Forum Discussion

Shaun Delorez's avatar
Shaun Delorez
Copper Contributor
Jul 25, 2018

Duplicate Accounts in O365 from Azure AD Sync

We have a unique situation where we synchronized our existing AD domain of 'company.eu' to our O365 tenant 'company.com'. 

In O365, 'company.com' includes everyone in the US and Europe...all Company employees, while the AD domain only has EU employees.

We bought the 'company.eu' domain, and I added it to O365 as a secondary domain. Some users got the secondary email "user@company.eu", and some have not.
Since synchronizing AD, some users have 2 accounts in O365 (user@company.com, in cloud AND user@company.eu, synced from AD). When I try to modify any aliases in O365, I'm shown its controlled by AD sync.
Is there a way to merge the duplicate accounts in O365? We have to keep the primary email as 'company.com', but also have their AD accounts synced with O365 for SSO.
Ideas?

  • Hi Shaun,

     

    First you need move those duplicate company.eu users to an OU that is not synced (in on-premises). Then run the sync manually, which deletes those users from the cloud. Then you need to remove the users from "recycle bin" using PowerShell:

    Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin

    For the second step, you have two options. You can either change on-premises UPNs from company.eu to company.com, or you can hard-link the users manually.

     

    For the latter option,  you need to add GUID of on-premises company.eu user as the ImmutableId of company.com user in the cloud.  Here is the one-liner that does the trick for one user.

    Set-MsolUser -UserPrincipalName user1@company.com -ImmutableId ([System.Convert]::ToBase64String((Get-ADUser -Filter "UserPrincipalName -eq 'user1@company.eu'").ObjectGUID.ToByteArray()))

    After fixing the on-premise UPN or manually hard-linking the users, move them back OU that is synced and run the sync manually again. After the sync, on-premises company.eu users should be linked to existing company.com users.

     

     To add aliases to synced company.eu users, you need to edit their proxyAddresses attribute in on-premises AD. The following example sets the company.eu as primary email address and company.eu as alias.

    SMTP:user1@company.com
    smtp:user1@company.eu

     

  • Hi Shaun,

     

    First you need move those duplicate company.eu users to an OU that is not synced (in on-premises). Then run the sync manually, which deletes those users from the cloud. Then you need to remove the users from "recycle bin" using PowerShell:

    Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin

    For the second step, you have two options. You can either change on-premises UPNs from company.eu to company.com, or you can hard-link the users manually.

     

    For the latter option,  you need to add GUID of on-premises company.eu user as the ImmutableId of company.com user in the cloud.  Here is the one-liner that does the trick for one user.

    Set-MsolUser -UserPrincipalName user1@company.com -ImmutableId ([System.Convert]::ToBase64String((Get-ADUser -Filter "UserPrincipalName -eq 'user1@company.eu'").ObjectGUID.ToByteArray()))

    After fixing the on-premise UPN or manually hard-linking the users, move them back OU that is synced and run the sync manually again. After the sync, on-premises company.eu users should be linked to existing company.com users.

     

     To add aliases to synced company.eu users, you need to edit their proxyAddresses attribute in on-premises AD. The following example sets the company.eu as primary email address and company.eu as alias.

    SMTP:user1@company.com
    smtp:user1@company.eu

     

    • Shaun Delorez's avatar
      Shaun Delorez
      Copper Contributor

      Thanks, Nestori.

       

      I did find how to manipulate the attributes via ADUC. I'm leery of deleting the accounts in O365. 
      All of my on-premise accounts are @company.eu. Some of the O365 users already have this as an alias/alternate SMTP.
      If I "unsync"/remove all of the .EU users, what happens to their existing .com accounts? Not all .EU users are duplicates.
      In the end, it should be a single synchronized user with both .com and .eu seen in O365.
      For now, I'm setting SMTP and smtp for all users via ADUC.
      Do you think this will correct the primary accounts to where I could later remove the duplicates (assuming they would be EU only)?

       

      • Nestori Syynimaa's avatar
        Nestori Syynimaa
        MVP

        If you "unsync" a user, their mailboxes will be soft-deleted for 30 days. If you resync the user, the mailbox will be returned. So, if some company.eu users are already linked to company.com cloud users, their mailboxes will be soft-deleted.

         

        However, you only need to delete the duplicate accounts. Does those duplicate company.eu accounts have already mail in their mailboxes? If not, you can safely delete them. However, if they have mails, they need to be migrated. You can utilize "inactive mailboxes" to that, see my blog post here

         

        If you add aliases to all your on-premises users now, there will be sync errors due to existing duplicates. So you should not try to set aliases to those duplicate company.eu users before removing them from the cloud.

Resources