Forum Discussion
Self-service users and AAD Connect
Moe_Kinani Thanks for your reply.
I tried your proposed solution, with the following results:
1. On my colleague's account, the one who registered himself to get access to Teams, and has two sources of authority ("Windows Server AD" and "Azure Active Directory (self-service)"), I could run the commands with no problem. However, after forcing the inicial sync, the account still has the same two sources of authority.
2. With my personal, named account, which currently is shown double on AAD(alvaro@company.com linked to Azure AD, and alvaro1234@company.onmicrosoft.com linked to on-premise AD), when I ran the command, I got the following error:
PS C:\Users\Administrator> Set-MsolUser -UserPrincipalName alvaro@company.com -ImmutableId "BuoO8NjJF0aSXA2p5e8j1A=="
Set-MsolUser : Uniqueness violation. Property: SourceAnchor.
At line:1 char:1
+ Set-MsolUser -UserPrincipalName alvaro@company.com -ImmutableId ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.UniquenessValidationException,Microsoft.Onlin
e.Administration.Automation.SetUser
I suppose this error is because, in AAD, the account alvaro@company.onmicrosoft.com is already linked to that ImmutableId. How can I handle it?
1. You need to remove the synced account by placing in NOT-syncing OU and force initial sync. Make sure it disappears from O365 users.
2. Match the account you trying to sync with ADD cloud account by following the steps below:
A. In AD, find the account and make sure dns suffix reflects xyz.com.
B. In Attribute Editor, go to mail attribute and match with AAD email address. Do the the same with UserPrincipleName attribute and ProxyAddress attribute (SMTP:email@xyz.com)- Capital SMTP for primary email Address and small ‘smtp’ for other aliases.
4. Repeat the steps for hard match again.
Hope this helps!
Moe