Problem I'm having is whenever I'm merging AD admin accounts to AAD changing UPN in AD and then forcing sync to happen using powershell or even without force syn it creates new account in AAD for the AD admins or users in AD admin groups.
What is the best way.? or are there any standard practices I can follow.?
Lesson number 1, never sync administrator accounts from AD to AAD. That could allow cyber attackers to hop from one on-premise to the cloud. (And believe me, it happens often)
1. Create new Cloud-only admin accounts for every administrator 2. Stop synching the OU where the admins are located 3. Limit the privileges for admins and use Privileged Identity management (think about your Identity Governance) 4. Create two break-the-glass accounts for emergency purposes 5. Enable MFA for ALL admins except the break-the-glass accounts 6. Create a policy that blocks sign-in on the two break-the-glass accounts except from trusted locations.