Forum Discussion

Myles Gallagher's avatar
Myles Gallagher
Brass Contributor
Jul 31, 2018
Solved

Azure AD Connect - Dealing with incorrectly created users post-sync

We have a single domain in windows AD, not the same as our verified domain in Azure AD (through 365).  If a user was not set up to use the "verified" suffix in their user principal name, Azure AD Con...
Azure Active Directory (AAD)
  • VasilMichev's avatar
    VasilMichev
    Jul 31, 2018

    You don't need to disable the sync, simply delete the "duplicate" account. As for avoiding such issues in the future, add the "verified" suffix as additional UPN suffix on-premises and update any such accounts.

     

    When creating the accounts, Azure AD looks at the UPN value and if its populated, it will use it to create the corresponding account in O365. If the UPN doesn't match a verified domain, it will be replaced with the default @tenant.onmicrosoft.com value. If the UPN is empty, the SamAccountName attribute will be used instead, with the default domain. Similar rules apply to SMTP addresses: https://support.microsoft.com/en-us/help/3190357/how-the-proxyaddresses-attribute-is-populated-in-azure-ad

     

    You can also use the so-called soft-matching mechanism to make sure the on-premises object "links" correctly to an already created cloud one: http://support.microsoft.com/kb/2641663

Scorpio69's avatar
Scorpio69
Copper Contributor
May 04, 2019

Depending on the exact request and setup if you verify the domain in Azure AD after that once the users are synced with the "wrong" domain and not using the proper UPN you can also do something which is called soft and hard match you can read more here:

 

"

Soft (SMTP) vs. Hard (immutableID) matching with Azure AD Connect

 

If you are setting up Directory Synchronization from scratch (there are no users in the cloud yet), then Azure AD Connect will be pretty straightforward–the on-premises objects (and passwords if you choose that option) will be synchronized to the cloud, and you can assign services to the user accounts from there.

But what if you already have user accounts in the cloud which correspond to already existing user objects in the on-premises directory, and Directory Synchronization has not yet been configured between them? For example, if your organization previously migrated mailboxes to Office 365 using the cutover method or a third party tool. Or, if you had users provisioned for another Microsoft Online Service such as CRM, before you attempted mailbox migration.

In cases like these, you may need to create a matching mechanism between the on-premises accounts and the cloud-based ones, so that Azure AD Connect knows that they refer to the same user.  There are two basic methods to create this “matching”:

  1. Soft match (also known as https://support.microsoft.com/en-us/help/2641663/how-to-use-smtp-matching-to-match-on-premises-user-accounts-to-office-365-user-accounts-for-directory-synchronization)
  2. Hard match (by https://blogs.technet.microsoft.com/praveenkumar/2014/04/11/how-to-do-hard-match-in-dirsync/).

Soft Matching using the SMTP address

To create soft matches, which will be adequate in 95% of situations, you will need to ensure first of all that your UPN suffixes match between on-premises and cloud-based accounts. What do we mean by this?  It means that your users’ sign-in needs to be tied to the domain of your primary email address in both the

First, when you open the properties of a user account object, this object should have the email address field filled out (the primary SMTP address for the user)–so be sure that is the case first.  Now take a look under the Account tab, and you should see the user logon name followed by a suffix.

The goal is to have this logon name be username@domain.com–that is, the email address–and not the local domain name username@domain.local. Note that you can also bulk-select accounts and make this suffix change on many objects at once."

Resources