Forum Discussion

alvaroagocs's avatar
alvaroagocs
Copper Contributor
May 05, 2020

Self-service users and AAD Connect

Hi. I'm having some trouble managing Azure AD. Here's the context:   As our sysadmin and tech manager, I previously, since 2 years or more) had Microsoft account with our webmaster@company.com addr...
Azure Active Directory (AAD)
Moe_Kinani's avatar
Moe_Kinani
Bronze Contributor
May 06, 2020
Hi alvaroagocs,

You need to do hard match for the accounts (had issues) syncing from AD to O365.

Hope this helps!
Moe

Follow the steps below:

1. Run the CMDLET below in DC PowerShell/ Change the path

ldifde -f C:\Users\USERNAME\Desktop\export.txt -r "(Userprincipalname=*)" -l "objectGuid, userPrincipalName"

2. Get the Object Guid and then connect to ADConnect server

Run the PS as Admin

Connect-MSOLService

Run the CMDLET below:

Set-MsolUser -UserPrincipalName username@example.com -ImmutableId “IMMUTABLEID_RETRIEVED_FROM_STEP1”

3. Move the user to the syncing bucket

4. Force Initial Sync again.
alvaroagocs's avatar
alvaroagocs
Copper Contributor
May 09, 2020

Moe_Kinani Thanks for your reply.

 

I tried your proposed solution, with the following results:

 

1. On my colleague's account, the one who registered himself to get access to Teams, and has two sources of authority ("Windows Server AD" and "Azure Active Directory (self-service)"), I could run the commands with no problem. However, after forcing the inicial sync, the account still has the same two sources of authority.

 

2. With my personal, named account, which currently is shown double on AAD(alvaro@company.com linked to Azure AD, and alvaro1234@company.onmicrosoft.com linked to on-premise AD), when I ran the command, I got the following error:

 

PS C:\Users\Administrator> Set-MsolUser -UserPrincipalName alvaro@company.com -ImmutableId "BuoO8NjJF0aSXA2p5e8j1A=="
Set-MsolUser : Uniqueness violation. Property: SourceAnchor.
At line:1 char:1
+ Set-MsolUser -UserPrincipalName alvaro@company.com -ImmutableId ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.UniquenessValidationException,Microsoft.Onlin
e.Administration.Automation.SetUser

 

I suppose this error is because, in AAD, the account alvaro@company.onmicrosoft.com is already linked to that ImmutableId. How can I handle it?

  • Johnny_Hauan's avatar
    Johnny_Hauan
    Copper Contributor
    Sep 24, 2020
    Did you ever manage to fix this? Cause i have this same issue with one account and its stopping that user from MDM enrollment. Im not sure what Moe_Kinani meant by making sure he gets removed from O365 users. If you remove the user from synced OU i expect the Windows Server AD authority to disappear, not O365 (Azure AD Self-Service).
  • Moe_Kinani's avatar
    Moe_Kinani
    Bronze Contributor
    May 09, 2020
    Hi,

    1. You need to remove the synced account by placing in NOT-syncing OU and force initial sync. Make sure it disappears from O365 users.

    2. Match the account you trying to sync with ADD cloud account by following the steps below:
    A. In AD, find the account and make sure dns suffix reflects xyz.com.
    B. In Attribute Editor, go to mail attribute and match with AAD email address. Do the the same with UserPrincipleName attribute and ProxyAddress attribute (SMTP:email@xyz.com)- Capital SMTP for primary email Address and small ‘smtp’ for other aliases.

    4. Repeat the steps for hard match again.

    Hope this helps!
    Moe

Resources