Self-service users and AAD Connect

%3CLINGO-SUB%20id%3D%22lingo-sub-1361971%22%20slang%3D%22en-US%22%3ERe%3A%20Self-service%20users%20and%20AAD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361971%22%20slang%3D%22en-US%22%3EHi%20alvaroagocs%2C%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20need%20to%20do%20hard%20match%20for%20the%20accounts%20(had%20issues)%20syncing%20from%20AD%20to%20O365.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3CBR%20%2F%3E%3CBR%20%2F%3EFollow%20the%20steps%20below%3A%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20Run%20the%20CMDLET%20below%20in%20DC%20PowerShell%2F%20Change%20the%20path%3CBR%20%2F%3E%3CBR%20%2F%3Eldifde%20-f%20C%3A%5CUsers%5CUSERNAME%5CDesktop%5Cexport.txt%20-r%20%22(Userprincipalname%3D*)%22%20-l%20%22objectGuid%2C%20userPrincipalName%22%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20Get%20the%20Object%20Guid%20and%20then%20connect%20to%20ADConnect%20server%3CBR%20%2F%3E%3CBR%20%2F%3ERun%20the%20PS%20as%20Admin%3CBR%20%2F%3E%3CBR%20%2F%3EConnect-MSOLService%3CBR%20%2F%3E%3CBR%20%2F%3ERun%20the%20CMDLET%20below%3A%3CBR%20%2F%3E%3CBR%20%2F%3ESet-MsolUser%20-UserPrincipalName%20username%40example.com%20-ImmutableId%20%E2%80%9CIMMUTABLEID_RETRIEVED_FROM_STEP1%E2%80%9D%3CBR%20%2F%3E%3CBR%20%2F%3E3.%20Move%20the%20user%20to%20the%20syncing%20bucket%3CBR%20%2F%3E%3CBR%20%2F%3E4.%20Force%20Initial%20Sync%20again.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1375917%22%20slang%3D%22en-US%22%3ERe%3A%20Self-service%20users%20and%20AAD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1375917%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F503735%22%20target%3D%22_blank%22%3E%40Moe_Kinani%3C%2FA%3E%26nbsp%3BThanks%20for%20your%20reply.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20tried%20your%20proposed%20solution%2C%20with%20the%20following%20results%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20On%20my%20colleague's%20account%2C%20the%20one%20who%20registered%20himself%20to%20get%20access%20to%20Teams%2C%20and%20has%20two%20sources%20of%20authority%20(%3CSPAN%3E%22Windows%20Server%20AD%22%20and%20%22Azure%20Active%20Directory%20(self-service)%22)%2C%20I%20could%20run%20the%20commands%20with%20no%20problem.%20However%2C%20after%20forcing%20the%20inicial%20sync%2C%20the%20account%20still%20has%20the%20same%20two%20sources%20of%20authority.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E2.%20With%20my%20personal%2C%20named%20account%2C%20which%20currently%20is%20shown%20double%20on%20AAD(alvaro%40company.com%20linked%20to%20Azure%20AD%2C%20and%20alvaro1234%40company.onmicrosoft.com%20linked%20to%20on-premise%20AD)%2C%20when%20I%20ran%20the%20command%2C%20I%20got%20the%20following%20error%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EPS%20C%3A%5CUsers%5CAdministrator%26gt%3B%20Set-MsolUser%20-UserPrincipalName%20alvaro%40company.com%20-ImmutableId%20%22BuoO8NjJF0aSXA2p5e8j1A%3D%3D%22%3CBR%20%2F%3ESet-MsolUser%20%3A%20Uniqueness%20violation.%20Property%3A%20SourceAnchor.%3CBR%20%2F%3EAt%20line%3A1%20char%3A1%3CBR%20%2F%3E%2B%20Set-MsolUser%20-UserPrincipalName%20alvaro%40company.com%20-ImmutableId%20...%3CBR%20%2F%3E%2B%20~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%3CBR%20%2F%3E%2B%20CategoryInfo%20%3A%20OperationStopped%3A%20(%3A)%20%5BSet-MsolUser%5D%2C%20MicrosoftOnlineException%3CBR%20%2F%3E%2B%20FullyQualifiedErrorId%20%3A%20Microsoft.Online.Administration.Automation.UniquenessValidationException%2CMicrosoft.Onlin%3CBR%20%2F%3Ee.Administration.Automation.SetUser%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EI%20suppose%20this%20error%20is%20because%2C%20in%20AAD%2C%20the%20account%20alvaro%40company.onmicrosoft.com%20is%20already%20linked%20to%20that%20ImmutableId.%20How%20can%20I%20handle%20it%3F%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1376742%22%20slang%3D%22en-US%22%3ERe%3A%20Self-service%20users%20and%20AAD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1376742%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3E1.%20You%20need%20to%20remove%20the%20synced%20account%20by%20placing%20in%20NOT-syncing%20OU%20and%20force%20initial%20sync.%20Make%20sure%20it%20disappears%20from%20O365%20users.%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20Match%20the%20account%20you%20trying%20to%20sync%20with%20ADD%20cloud%20account%20by%20following%20the%20steps%20below%3A%3CBR%20%2F%3EA.%20In%20AD%2C%20find%20the%20account%20and%20make%20sure%20dns%20suffix%20reflects%20xyz.com.%3CBR%20%2F%3EB.%20In%20Attribute%20Editor%2C%20go%20to%20mail%20attribute%20and%20match%20with%20AAD%20email%20address.%20Do%20the%20the%20same%20with%20UserPrincipleName%20attribute%20and%20ProxyAddress%20attribute%20(SMTP%3Aemail%40xyz.com)-%20Capital%20SMTP%20for%20primary%20email%20Address%20and%20small%20%E2%80%98smtp%E2%80%99%20for%20other%20aliases.%3CBR%20%2F%3E%3CBR%20%2F%3E4.%20Repeat%20the%20steps%20for%20hard%20match%20again.%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps!%3CBR%20%2F%3EMoe%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1361549%22%20slang%3D%22en-US%22%3ESelf-service%20users%20and%20AAD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1361549%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%20I'm%20having%20some%20trouble%20managing%20Azure%20AD.%20Here's%20the%20context%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20our%20sysadmin%20and%20tech%20manager%2C%20I%20previously%2C%20since%202%20years%20or%20more)%20had%20Microsoft%20account%20with%20our%20webmaster%40company.com%20address%20to%20manage%20our%20Office%20(not%20Office365)%20and%20Windows%2FWindows%20Server%20licenses.%20I%20also%20has%20a%20Microsoft%20account%20with%20my%20named%20email%20alvaro%40company.com%20%2C%20as%2C%20by%20mistake%2C%20our%20licenses%20provider%20sold%20the%20licenses%20with%20that%20address%20instead%20of%20the%20webmaster%20one.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20came%20the%20pandemic%2C%20and%20we%20started%20using%20Microsoft%20Teams.%20I%20assigned%20both%20webmaster%20and%20my%20named%20account%20administrator%20privileges%20over%20our%20Teams%20service.%20I%20then%20created%20Teams%20users%20for%20some%20of%20my%20coleagues%20from%20the%20Teams%20Admin%20Center%2C%20using%20their%20work%20email%20addresses.%20Also%2C%20to%20participate%20in%20a%20meeting%2C%20one%20of%20my%20coleagues%20registered%20himself%20on%20Teams%20with%20his%20work%20email.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYesterday%2C%20I%20activated%20Azure%20AD%20and%20configured%20Azure%20AD%20Connect%20with%20pass-through%20authentication%20and%203%20agents%20on%20our%203%20on-premise%20AD%20serves%2C%20with%20password%20writeback%20disabled(that%20may%20be%20useful%20to%20know).%20Everything%20is%20working%20fine%20for%20most%20users.%20However%2C%20I've%20got%203%20troublesome%20cases%20which%20I%20can't%20find%20out%20how%20to%20solve%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20My%20webmaster%20address.%20It%20already%20existed%20in%20AAD%20before%20the%20AAD%20Connect%20initial%20sync%2C%20and%20it%20also%20existed%20in%20our%20AD.%20In%20AAD%2C%20the%20original%20AAD%20user%20has%20been%20preserved%20with%20source%20%22Azure%20Active%20Directory%20(self-service)%22%2C%20and%20the%20one%20from%20our%20AD%20has%20been%20created%20with%20email%20%22webmaster1234%40company.onmicrosoft.com%22%2C%20with%20source%20%22Windows%20Server%20AD%22.%20I%20would%20like%20to%20have%20both%20of%20them%20under%20a%20single%20account%2C%20even%20if%20it%20implies%20such%20account%20will%20use%20AD%20pass-through%20authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20The%20same%20also%20happened%20to%20my%20named%20account.%20The%20original%20account%20was%20preserved%20as%20%22alvaro%40company.com%22%20with%20source%20%22Azure%20Active%20Directory%20(self-service)%22%2C%20and%20the%20one%20from%20my%20AD%20was%20created%20as%20%22alvaro5678%40company.onmicrosoft.com%22.%20I%20would%20like%20to%20have%20both%20as%20a%20single%20account.%20In%20this%20case%2C%20even%20further%2C%20it%20is%20also%20a%20must%20to%20have%20that%20account%20use%20the%20pass-through%20authentication.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20One%20of%20my%20coleagues%2C%20for%20whom%20I%20hadn't%20yet%20created%20a%20Teams%20account%20on%20Teams%20Admin%20Center%2C%20registered%20himself%20as%20Teams%20user%20with%20his%20work%20email%20address%20%22someperson%40company.com%22.%20After%20the%20initial%20AAD%20Connect%20Sync%2C%20his%20account(unlike%20previous%20cases%2C%20here%20it's%20only%20one)%20has%20%22Multiple%22%20sources%3A%26nbsp%3B%22Windows%20Server%20AD%22%20and%20%22Azure%20Active%20Directory%20(self-service)%22.%20As%20he's%20a%20normal%20user%2C%20with%20no%20special%20privileges%20or%20requirements%2C%20I%20want%20this%20user%20to%20have%20only%20the%20%22Windows%20Server%20AD%22%20source%2C%20so%20his%20account%20is%20only%20authenticated%20by%20our%20on-premise%20AD.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20help%20would%20be%20really%20appreciated.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1361549%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1707453%22%20slang%3D%22en-US%22%3ERe%3A%20Self-service%20users%20and%20AAD%20Connect%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1707453%22%20slang%3D%22en-US%22%3EDid%20you%20ever%20manage%20to%20fix%20this%3F%20Cause%20i%20have%20this%20same%20issue%20with%20one%20account%20and%20its%20stopping%20that%20user%20from%20MDM%20enrollment.%20Im%20not%20sure%20what%20Moe_Kinani%20meant%20by%20making%20sure%20he%20gets%20removed%20from%20O365%20users.%20If%20you%20remove%20the%20user%20from%20synced%20OU%20i%20expect%20the%20Windows%20Server%20AD%20authority%20to%20disappear%2C%20not%20O365%20(Azure%20AD%20Self-Service).%3C%2FLINGO-BODY%3E
New Contributor

Hi. I'm having some trouble managing Azure AD. Here's the context:

 

As our sysadmin and tech manager, I previously, since 2 years or more) had Microsoft account with our webmaster@company.com address to manage our Office (not Office365) and Windows/Windows Server licenses. I also has a Microsoft account with my named email alvaro@company.com , as, by mistake, our licenses provider sold the licenses with that address instead of the webmaster one.

 

Then came the pandemic, and we started using Microsoft Teams. I assigned both webmaster and my named account administrator privileges over our Teams service. I then created Teams users for some of my coleagues from the Teams Admin Center, using their work email addresses. Also, to participate in a meeting, one of my coleagues registered himself on Teams with his work email.

 

Yesterday, I activated Azure AD and configured Azure AD Connect with pass-through authentication and 3 agents on our 3 on-premise AD serves, with password writeback disabled(that may be useful to know). Everything is working fine for most users. However, I've got 3 troublesome cases which I can't find out how to solve:

 

1. My webmaster address. It already existed in AAD before the AAD Connect initial sync, and it also existed in our AD. In AAD, the original AAD user has been preserved with source "Azure Active Directory (self-service)", and the one from our AD has been created with email "webmaster1234@company.onmicrosoft.com", with source "Windows Server AD". I would like to have both of them under a single account, even if it implies such account will use AD pass-through authentication.

 

2. The same also happened to my named account. The original account was preserved as "alvaro@company.com" with source "Azure Active Directory (self-service)", and the one from my AD was created as "alvaro5678@company.onmicrosoft.com". I would like to have both as a single account. In this case, even further, it is also a must to have that account use the pass-through authentication.

 

3. One of my coleagues, for whom I hadn't yet created a Teams account on Teams Admin Center, registered himself as Teams user with his work email address "someperson@company.com". After the initial AAD Connect Sync, his account(unlike previous cases, here it's only one) has "Multiple" sources: "Windows Server AD" and "Azure Active Directory (self-service)". As he's a normal user, with no special privileges or requirements, I want this user to have only the "Windows Server AD" source, so his account is only authenticated by our on-premise AD.

 

Any help would be really appreciated.

4 Replies
Hi alvaroagocs,

You need to do hard match for the accounts (had issues) syncing from AD to O365.

Hope this helps!
Moe

Follow the steps below:

1. Run the CMDLET below in DC PowerShell/ Change the path

ldifde -f C:\Users\USERNAME\Desktop\export.txt -r "(Userprincipalname=*)" -l "objectGuid, userPrincipalName"

2. Get the Object Guid and then connect to ADConnect server

Run the PS as Admin

Connect-MSOLService

Run the CMDLET below:

Set-MsolUser -UserPrincipalName username@example.com -ImmutableId “IMMUTABLEID_RETRIEVED_FROM_STEP1”

3. Move the user to the syncing bucket

4. Force Initial Sync again.

@Moe_Kinani Thanks for your reply.

 

I tried your proposed solution, with the following results:

 

1. On my colleague's account, the one who registered himself to get access to Teams, and has two sources of authority ("Windows Server AD" and "Azure Active Directory (self-service)"), I could run the commands with no problem. However, after forcing the inicial sync, the account still has the same two sources of authority.

 

2. With my personal, named account, which currently is shown double on AAD(alvaro@company.com linked to Azure AD, and alvaro1234@company.onmicrosoft.com linked to on-premise AD), when I ran the command, I got the following error:

 

PS C:\Users\Administrator> Set-MsolUser -UserPrincipalName alvaro@company.com -ImmutableId "BuoO8NjJF0aSXA2p5e8j1A=="
Set-MsolUser : Uniqueness violation. Property: SourceAnchor.
At line:1 char:1
+ Set-MsolUser -UserPrincipalName alvaro@company.com -ImmutableId ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.UniquenessValidationException,Microsoft.Onlin
e.Administration.Automation.SetUser

 

I suppose this error is because, in AAD, the account alvaro@company.onmicrosoft.com is already linked to that ImmutableId. How can I handle it?

Hi,

1. You need to remove the synced account by placing in NOT-syncing OU and force initial sync. Make sure it disappears from O365 users.

2. Match the account you trying to sync with ADD cloud account by following the steps below:
A. In AD, find the account and make sure dns suffix reflects xyz.com.
B. In Attribute Editor, go to mail attribute and match with AAD email address. Do the the same with UserPrincipleName attribute and ProxyAddress attribute (SMTP:email@xyz.com)- Capital SMTP for primary email Address and small ‘smtp’ for other aliases.

4. Repeat the steps for hard match again.

Hope this helps!
Moe
Did you ever manage to fix this? Cause i have this same issue with one account and its stopping that user from MDM enrollment. Im not sure what Moe_Kinani meant by making sure he gets removed from O365 users. If you remove the user from synced OU i expect the Windows Server AD authority to disappear, not O365 (Azure AD Self-Service).