Forum Discussion

Myles Gallagher's avatar
Myles Gallagher
Copper Contributor
Jul 31, 2018
Solved

Azure AD Connect - Dealing with incorrectly created users post-sync

We have a single domain in windows AD, not the same as our verified domain in Azure AD (through 365).  If a user was not set up to use the "verified" suffix in their user principal name, Azure AD Con...
Azure Active Directory (AAD)
  • VasilMichev's avatar
    VasilMichev
    Jul 31, 2018

    You don't need to disable the sync, simply delete the "duplicate" account. As for avoiding such issues in the future, add the "verified" suffix as additional UPN suffix on-premises and update any such accounts.

     

    When creating the accounts, Azure AD looks at the UPN value and if its populated, it will use it to create the corresponding account in O365. If the UPN doesn't match a verified domain, it will be replaced with the default @tenant.onmicrosoft.com value. If the UPN is empty, the SamAccountName attribute will be used instead, with the default domain. Similar rules apply to SMTP addresses: https://support.microsoft.com/en-us/help/3190357/how-the-proxyaddresses-attribute-is-populated-in-azure-ad

     

    You can also use the so-called soft-matching mechanism to make sure the on-premises object "links" correctly to an already created cloud one: http://support.microsoft.com/kb/2641663

Marconi Poveda's avatar
Marconi Poveda
Copper Contributor
Jun 19, 2020

VasilMichev Hey I come from the future and admins are still making the same mistakes.

 

I can't delete the Office 365 user because the user has a EXO mailbox.

 

Now I have two duplicated users in AAD:

 

Is there any way I can change the sync target (user1@company.local --> user1@company.com.ni )? I tried to change the ImmutableId but failed.

 

Thanks in advance.

Thysmith's avatar
Thysmith
Copper Contributor
Dec 21, 2020

Marconi Poveda 

 

I see this is old and somewhat unanswered. I am sure you have likely found the solution by now, but for those that have this question. 

 

---

 

When you end up with duplicate user accounts, while attempting to soft-match (ie. forgetting to update the UPN, or a slight variation in the logon name.) Even after simply deleting the duplicated account, you will still be unable to get the correct existing account in the AAD to soft-match until you remove the duplicate from the deleted users section of the Office365 portal. 

 

To do this, use the following PowerShell cmdlet remove the account from the recycle bin;

 

Remove-MsolUser -UserPrincipalName <Incorrectaccountname@domain.com> -RemoveFromRecycleBin

 

You can then perform a new AAD Export and your accounts will be soft-matched correctly. 

 

More Guidance regarding removing deleted users: 

https://practical365.com/exchange-server/permanently-remove-deleted-users-office-365/

 

Hope this helps. 

Resources