cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Duplicate Accounts in O365 from Azure AD Sync

Shaun Delorez
Copper Contributor

‎Jul 25 2018 05:40 AM

‎Jul 25 2018 05:40 AM

Duplicate Accounts in O365 from Azure AD Sync

We have a unique situation where we synchronized our existing AD domain of 'company.eu' to our O365 tenant 'company.com'. 

In O365, 'company.com' includes everyone in the US and Europe...all Company employees, while the AD domain only has EU employees.

We bought the 'company.eu' domain, and I added it to O365 as a secondary domain. Some users got the secondary email "user@company.eu", and some have not.
Since synchronizing AD, some users have 2 accounts in O365 (user@company.com, in cloud AND user@company.eu, synced from AD). When I try to modify any aliases in O365, I'm shown its controlled by AD sync.
Is there a way to merge the duplicate accounts in O365? We have to keep the primary email as 'company.com', but also have their AD accounts synced with O365 for SSO.
Ideas?

Labels:
44.5K Views
0 Likes
6 Replies
Reply
6 Replies
best response confirmed by Shaun Delorez (Copper Contributor)
Nestori Syynimaa

‎Jul 25 2018 06:41 AM

‎Jul 25 2018 06:41 AM

Solution

Re: Duplicate Accounts in O365 from Azure AD Sync

Hi Shaun,

 

First you need move those duplicate company.eu users to an OU that is not synced (in on-premises). Then run the sync manually, which deletes those users from the cloud. Then you need to remove the users from "recycle bin" using PowerShell:

Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin

For the second step, you have two options. You can either change on-premises UPNs from company.eu to company.com, or you can hard-link the users manually.

 

For the latter option,  you need to add GUID of on-premises company.eu user as the ImmutableId of company.com user in the cloud.  Here is the one-liner that does the trick for one user.

Set-MsolUser -UserPrincipalName user1@company.com -ImmutableId ([System.Convert]::ToBase64String((Get-ADUser -Filter "UserPrincipalName -eq 'user1@company.eu'").ObjectGUID.ToByteArray()))

After fixing the on-premise UPN or manually hard-linking the users, move them back OU that is synced and run the sync manually again. After the sync, on-premises company.eu users should be linked to existing company.com users.

 

 To add aliases to synced company.eu users, you need to edit their proxyAddresses attribute in on-premises AD. The following example sets the company.eu as primary email address and company.eu as alias.

SMTP:user1@company.com
smtp:user1@company.eu

 

2 Likes
Reply
Shaun Delorez

‎Jul 25 2018 06:55 AM

‎Jul 25 2018 06:55 AM

Re: Duplicate Accounts in O365 from Azure AD Sync

Thanks, Nestori.

 

I did find how to manipulate the attributes via ADUC. I'm leery of deleting the accounts in O365. 
All of my on-premise accounts are @company.eu. Some of the O365 users already have this as an alias/alternate SMTP.
If I "unsync"/remove all of the .EU users, what happens to their existing .com accounts? Not all .EU users are duplicates.
In the end, it should be a single synchronized user with both .com and .eu seen in O365.
For now, I'm setting SMTP and smtp for all users via ADUC.
Do you think this will correct the primary accounts to where I could later remove the duplicates (assuming they would be EU only)?

 

0 Likes
Reply
Nestori Syynimaa

‎Jul 25 2018 07:07 AM

‎Jul 25 2018 07:07 AM

Re: Duplicate Accounts in O365 from Azure AD Sync

If you "unsync" a user, their mailboxes will be soft-deleted for 30 days. If you resync the user, the mailbox will be returned. So, if some company.eu users are already linked to company.com cloud users, their mailboxes will be soft-deleted.

 

However, you only need to delete the duplicate accounts. Does those duplicate company.eu accounts have already mail in their mailboxes? If not, you can safely delete them. However, if they have mails, they need to be migrated. You can utilize "inactive mailboxes" to that, see my blog post here

 

If you add aliases to all your on-premises users now, there will be sync errors due to existing duplicates. So you should not try to set aliases to those duplicate company.eu users before removing them from the cloud.

0 Likes
Reply
Shaun Delorez

‎Jul 25 2018 07:22 AM

‎Jul 25 2018 07:22 AM

Re: Duplicate Accounts in O365 from Azure AD Sync

You saved me some work, Nestori.  Thanks again.

It is the case where some EU users linked to COM cloud accounts. So, this would need to be something done while they're not using their accounts (weekend/after hours).

Nobody knows they have the EU email address, so no mails have been sent to those mailboxes.

So my understanding is now to:
1) Stop syncing my AD accounts (with .eu TLD)
2) Force sync (without the .eu accounts) thus removing them from O365.
   2a) Some mailboxes would be soft-deleted. Should be noted and restored
3) Modify attributes (via ADSIEDIT) to include both SMTP/smtp addresses on-premises.
4) Resync with cloud

Do I have this correct?

0 Likes
Reply
Nestori Syynimaa

‎Jul 25 2018 11:44 AM

‎Jul 25 2018 11:44 AM

Re: Duplicate Accounts in O365 from Azure AD Sync

Yes, that's the way to do it. Anyways, try with one or two users first to verify the process. Good luck!

0 Likes
Reply
MosesHull

‎Mar 29 2022 07:44 AM - edited ‎Mar 29 2022 09:26 AM

‎Mar 29 2022 07:44 AM - edited ‎Mar 29 2022 09:26 AM

Re: Duplicate Accounts in O365 from Azure AD Sync

@Shaun Delorez 

The issue is with Roles. If you try to sync a user to Azure AD and that user has roles assigned to it it will create another user like Jdoe13434

This is a security feature that prevents someone creating an account that matches Azure AD admin ROLE assignment. 

To make the sync work properly you have to remove the ROLES assigned to the users synced the OU and once it shows the account is directory synced, you can then give them their Azure roles back.

Be careful not to lock yourself out of Azure by removing your roles. You may want to create an another account with Global Administrator access to do the changes.

2022-03-29_10-55-17.png

 

 

Preview file
82 KB
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by Shaun Delorez (Copper Contributor)
Nestori Syynimaa

‎Jul 25 2018 06:41 AM

‎Jul 25 2018 06:41 AM

Solution

Re: Duplicate Accounts in O365 from Azure AD Sync

Hi Shaun,

 

First you need move those duplicate company.eu users to an OU that is not synced (in on-premises). Then run the sync manually, which deletes those users from the cloud. Then you need to remove the users from "recycle bin" using PowerShell:

Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin

For the second step, you have two options. You can either change on-premises UPNs from company.eu to company.com, or you can hard-link the users manually.

 

For the latter option,  you need to add GUID of on-premises company.eu user as the ImmutableId of company.com user in the cloud.  Here is the one-liner that does the trick for one user.

Set-MsolUser -UserPrincipalName user1@company.com -ImmutableId ([System.Convert]::ToBase64String((Get-ADUser -Filter "UserPrincipalName -eq 'user1@company.eu'").ObjectGUID.ToByteArray()))

After fixing the on-premise UPN or manually hard-linking the users, move them back OU that is synced and run the sync manually again. After the sync, on-premises company.eu users should be linked to existing company.com users.

 

 To add aliases to synced company.eu users, you need to edit their proxyAddresses attribute in on-premises AD. The following example sets the company.eu as primary email address and company.eu as alias.

SMTP:user1@company.com
smtp:user1@company.eu

 

View solution in original post

2 Likes
Reply