Sep 11 2019 07:51 AM
Hi @all,
we currently experience a strange behaviour with Azure AD Connect and migrating users between AD forests. The scenario:
- Multiple source forests; users with on-prem mailboxes
- One target forest
Only user mailboxes are migrated at the moment, as the users must stay in their forest for now. The migration workflow is as follows:
- Sync user from source forest to Azure AD (attribute-based) --> consistency GUID is written
- "Copy" user to target forest with ADMT (without sync attribute)
- Remove sync attribute from source forest user; AADC sync
- Add sync attribute to target forest user; AADC sync
While this worked flawlessly for two forests we now see the behaviour that Azure AD Connect somehow "merges" the two users from both forests and writes the consistency GUID to both user accounts.
No matter, which changes we configure for the source forest user (remove UPN, e-mail address, aso.) the user is always synced and moreover, his settings overwrite any settings of the target forest user (i.e. proxy addresses, display name, etc.).
The only workaround at the moment is to remove the sync attribute temporarily, delete the source forest user and set the sync attribute on the target forest user. If we just remove the source account, Azure AD Connect runs into an error because it does not find the account anymore.
But this is no solution here as the source forest user must remain.
We can reproduce this behaviour in another customer environment. We use the May 19 version of Azure AD Connect.
Has anyone ever seen this or can give us hints on how to solve this issue or optimize the migration process?
Best regards
Ben
Sep 11 2019 08:48 AM
SolutionSep 11 2019 08:48 AM
Solution