Easy DirSync hard-matching

If you've ever accidentally ended up in a scenario where you have two accounts for the same user in Office 365 - one synced with AD, and one in the cloud - it can be challenging to recover from this. Azure AD Connect generates a value to store as the "ImmutableID" in Azure AD, which uniquely identifies/ties the user to the correct on-premise account.

99 percent of the time this value is derived from ObjectGuid on-premise. There used to be a manual way to generate this value and set it as the immutableID manually, but it appears the way Azure AD Connect is generating this value has changed over time and that value no longer generates correctly.

The easiest way I've found to fix this is to take the value that Azure AD Connect generates for the synced object, then delete both objects, paste that value in to the correct account, and let it all sync back up. Example process:

john.smith@domain.com (In Cloud)
john.smith689@domain.onmicrosoft.com (UPN Conflict / Synced)

1.) Get-MsolUser -UserPrincipalName john.smith689@domain.onmicrosoft.com | select ImmutableID

2.) Copy value and save somewhere

3.) Move john.smith689@domain.onmicrosoft.com out of the Azure AD Connect sync scope - i.e. use a temporary OU and exclude from sync, or if you have something like "Disabled Users" already excluded you can use that.

4.) Run sync and confirm account has been deleted.

5.) Set-MsolUser -UserPrincipalName john.smith@domain.com -ImmutableID [value saved from earlier]

More from Darryl Mitchell
All posts