May 05 2020
- last edited on
Jul 24 2020
Hi. I'm having some trouble managing Azure AD. Here's the context:
As our sysadmin and tech manager, I previously, since 2 years or more) had Microsoft account with our email@example.com address to manage our Office (not Office365) and Windows/Windows Server licenses. I also has a Microsoft account with my named email firstname.lastname@example.org , as, by mistake, our licenses provider sold the licenses with that address instead of the webmaster one.
Then came the pandemic, and we started using Microsoft Teams. I assigned both webmaster and my named account administrator privileges over our Teams service. I then created Teams users for some of my coleagues from the Teams Admin Center, using their work email addresses. Also, to participate in a meeting, one of my coleagues registered himself on Teams with his work email.
Yesterday, I activated Azure AD and configured Azure AD Connect with pass-through authentication and 3 agents on our 3 on-premise AD serves, with password writeback disabled(that may be useful to know). Everything is working fine for most users. However, I've got 3 troublesome cases which I can't find out how to solve:
1. My webmaster address. It already existed in AAD before the AAD Connect initial sync, and it also existed in our AD. In AAD, the original AAD user has been preserved with source "Azure Active Directory (self-service)", and the one from our AD has been created with email "email@example.com", with source "Windows Server AD". I would like to have both of them under a single account, even if it implies such account will use AD pass-through authentication.
2. The same also happened to my named account. The original account was preserved as "firstname.lastname@example.org" with source "Azure Active Directory (self-service)", and the one from my AD was created as "email@example.com". I would like to have both as a single account. In this case, even further, it is also a must to have that account use the pass-through authentication.
3. One of my coleagues, for whom I hadn't yet created a Teams account on Teams Admin Center, registered himself as Teams user with his work email address "firstname.lastname@example.org". After the initial AAD Connect Sync, his account(unlike previous cases, here it's only one) has "Multiple" sources: "Windows Server AD" and "Azure Active Directory (self-service)". As he's a normal user, with no special privileges or requirements, I want this user to have only the "Windows Server AD" source, so his account is only authenticated by our on-premise AD.
Any help would be really appreciated.
May 05 2020 05:40 PM - edited May 05 2020 05:41 PM
May 08 2020 07:04 PM
@Moe_Kinani Thanks for your reply.
I tried your proposed solution, with the following results:
1. On my colleague's account, the one who registered himself to get access to Teams, and has two sources of authority ("Windows Server AD" and "Azure Active Directory (self-service)"), I could run the commands with no problem. However, after forcing the inicial sync, the account still has the same two sources of authority.
2. With my personal, named account, which currently is shown double on AAD(email@example.com linked to Azure AD, and firstname.lastname@example.org linked to on-premise AD), when I ran the command, I got the following error:
PS C:\Users\Administrator> Set-MsolUser -UserPrincipalName email@example.com -ImmutableId "BuoO8NjJF0aSXA2p5e8j1A=="
Set-MsolUser : Uniqueness violation. Property: SourceAnchor.
At line:1 char:1
+ Set-MsolUser -UserPrincipalName firstname.lastname@example.org -ImmutableId ...
+ CategoryInfo : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.UniquenessValidationException,Microsoft.Onlin
I suppose this error is because, in AAD, the account email@example.com is already linked to that ImmutableId. How can I handle it?
May 09 2020 08:32 AM - edited May 09 2020 08:33 AM
Sep 24 2020 03:41 AM