Forum Discussion
Myles Gallagher
Jul 31, 2018Brass Contributor
Azure AD Connect - Dealing with incorrectly created users post-sync
We have a single domain in windows AD, not the same as our verified domain in Azure AD (through 365). If a user was not set up to use the "verified" suffix in their user principal name, Azure AD Con...
- Jul 31, 2018
You don't need to disable the sync, simply delete the "duplicate" account. As for avoiding such issues in the future, add the "verified" suffix as additional UPN suffix on-premises and update any such accounts.
When creating the accounts, Azure AD looks at the UPN value and if its populated, it will use it to create the corresponding account in O365. If the UPN doesn't match a verified domain, it will be replaced with the default @tenant.onmicrosoft.com value. If the UPN is empty, the SamAccountName attribute will be used instead, with the default domain. Similar rules apply to SMTP addresses: https://support.microsoft.com/en-us/help/3190357/how-the-proxyaddresses-attribute-is-populated-in-azure-ad
You can also use the so-called soft-matching mechanism to make sure the on-premises object "links" correctly to an already created cloud one: http://support.microsoft.com/kb/2641663
Myles Gallagher
Jul 31, 2018Brass Contributor
So after I fixed the local account to have the correct UPN suffix, it would have auto-deleted the duplicate account it created, and synced to the correct one? I guess I should have given it more time. Thanks for the comprehensive response.
VasilMichev
Jul 31, 2018MVP
No, it will not auto-delete it, as the on-premises account and the "duplicate" cloud one are now "linked". But you can delete it directly from O365 without having to disable DirSync (use Remove-MsolUser/Remove-AzureADUser).
- Brian CrowtherNov 13, 2018Copper Contributor
Now under the Azuer active directory web, under users, Deleted users, select the users and Delete Permanently. Then drag the users back into the OU Initial sync from local AD and the users will be sync.
I had an azuer global admin account that created a duplicate account name1234@domain.nam and I could not get rid of it. taking the user out of the OU, sync (this will add the name1234 user to the deleted users in Azuer), then taking global admin off the user in Azuer, then sync, then delete like I listed above, then move user back to OU, then sync.
Thanks to this conversation I was able to find my way.
- Myles GallagherJul 31, 2018Brass ContributorOk, I injected a word while reading your first reply, misread that it would do it for me. Powershell can do it then, which is fine - much better than disabling the sync. Thank you again.