AzureADConnect with new AD domain


 We picked up a client that got hit with ransomware, They decided to restore everything to a brand new network, as the ransomware'd network was old anyways.


I'm trying to get AzureAD sync working on the new network without losing all the addresses and mail.

What i've done so far is

1 - Remove the User from the Sync Filtered group on the old Domain - Forced a sync - This moved the user to deleted users

2 - Restored that user - This made him a "cloud user" Instead of "Synced with AD"

3 - Changed the UPN for the now cloud user  (UPN = email address)

4- Changed the immutable ID for the cloud user  - Set-Msoluser -UserPrincipalName -ImmutableID ObjectGUIDBase64

5 - Changed the UPN back to the normal


At this point i thought i was clear, so setup azure AD connect on the new domain (UPN already setup, usernames correct, etc) - Added ONLY this user to the Sync group for the new domain and forced a sync. This is the error.

UNable to update this object because the following attributes associated wtih this object have values that may already be associtated with another object in your local direcory services: [UserPrincipalName] - Correct or remove the duplicate values.


I thought that by changing the immutableID i would have been OK? I'm missing something here though. There has to be some way i can re-sync my users to the

1 Reply

Not sure why the "change UPN" steps? Are you perhaps using federation?


In any case, the duplicate UPN error should be resolved first.