Duplicate Accounts in O365 from Azure AD Sync

Occasional Contributor

We have a unique situation where we synchronized our existing AD domain of '' to our O365 tenant ''. 

In O365, '' includes everyone in the US and Europe...all Company employees, while the AD domain only has EU employees.

We bought the '' domain, and I added it to O365 as a secondary domain. Some users got the secondary email "", and some have not.
Since synchronizing AD, some users have 2 accounts in O365 (, in cloud AND, synced from AD). When I try to modify any aliases in O365, I'm shown its controlled by AD sync.
Is there a way to merge the duplicate accounts in O365? We have to keep the primary email as '', but also have their AD accounts synced with O365 for SSO.

5 Replies
Best Response confirmed by Shaun Delorez (Occasional Contributor)

Hi Shaun,


First you need move those duplicate users to an OU that is not synced (in on-premises). Then run the sync manually, which deletes those users from the cloud. Then you need to remove the users from "recycle bin" using PowerShell:

Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin

For the second step, you have two options. You can either change on-premises UPNs from to, or you can hard-link the users manually.


For the latter option,  you need to add GUID of on-premises user as the ImmutableId of user in the cloud.  Here is the one-liner that does the trick for one user.

Set-MsolUser -UserPrincipalName -ImmutableId ([System.Convert]::ToBase64String((Get-ADUser -Filter "UserPrincipalName -eq ''").ObjectGUID.ToByteArray()))

After fixing the on-premise UPN or manually hard-linking the users, move them back OU that is synced and run the sync manually again. After the sync, on-premises users should be linked to existing users.


 To add aliases to synced users, you need to edit their proxyAddresses attribute in on-premises AD. The following example sets the as primary email address and as alias.



Thanks, Nestori.


I did find how to manipulate the attributes via ADUC. I'm leery of deleting the accounts in O365. 
All of my on-premise accounts are Some of the O365 users already have this as an alias/alternate SMTP.
If I "unsync"/remove all of the .EU users, what happens to their existing .com accounts? Not all .EU users are duplicates.
In the end, it should be a single synchronized user with both .com and .eu seen in O365.
For now, I'm setting SMTP and smtp for all users via ADUC.
Do you think this will correct the primary accounts to where I could later remove the duplicates (assuming they would be EU only)?



If you "unsync" a user, their mailboxes will be soft-deleted for 30 days. If you resync the user, the mailbox will be returned. So, if some users are already linked to cloud users, their mailboxes will be soft-deleted.


However, you only need to delete the duplicate accounts. Does those duplicate accounts have already mail in their mailboxes? If not, you can safely delete them. However, if they have mails, they need to be migrated. You can utilize "inactive mailboxes" to that, see my blog post here


If you add aliases to all your on-premises users now, there will be sync errors due to existing duplicates. So you should not try to set aliases to those duplicate users before removing them from the cloud.


You saved me some work, Nestori.  Thanks again.

It is the case where some EU users linked to COM cloud accounts. So, this would need to be something done while they're not using their accounts (weekend/after hours).

Nobody knows they have the EU email address, so no mails have been sent to those mailboxes.

So my understanding is now to:
1) Stop syncing my AD accounts (with .eu TLD)
2) Force sync (without the .eu accounts) thus removing them from O365.
   2a) Some mailboxes would be soft-deleted. Should be noted and restored
3) Modify attributes (via ADSIEDIT) to include both SMTP/smtp addresses on-premises.
4) Resync with cloud

Do I have this correct?


Yes, that's the way to do it. Anyways, try with one or two users first to verify the process. Good luck!