Microsoft Entra Connect Health

Question

Avec Microsoft Entra Connect Health, lors de la résolution d'un problème de compte avec objet identique dans l'AD celui me retourne le message "Le portail n'arrive pas à récupérer un jeton" avec le message suivant "Microsoft_Azure_ADHybridHealth' has not defined the resource access for resource 'self' in the extension's configuration, or in the portal's configuration."

Answer 1

I finally resolved this blocking issue.

The root cause was that deleted objects still present in the Microsoft 365 admin console's recycle bin contained attributes conflicting with my production objects. Specifically, SMTP addresses in the ProxyAddress attribute and UPNs.

To verify this, you need to connect to Azure console via PowerShell.

First, connect to Azure console via PowerShell:

Install-Module MSOnline

Import the newly installed module:

Import-Module MSOnline

Initiate connection with a Microsoft 365 tenant admin account

Connect-MSOLService

View accounts located in the 365 recycle bin:

Get-MsolUser -ReturnDeletedUser 

Identify the account to remove - in my case, it was new account created by the Entra Connect Connector with a number in the identifier but whose proxyaddress attribute contains the email exact SMTP address of one of my productions accounts, let's call her "John Doe":

Remove-MsolUser -UserPrincipalName  ******@myowncompany.onmicrosoft.com  -RemoveFromRecycleBin

This should resolve the blocking issue in the Microsoft Entra Connect Health web interface, allowing you to apply your change to merge the two accounts (the one from your local Active Directory and the Entra ID directory on 365).

If that doesn't work, you can do it via command line, but this time using PowerShell connected to Microsoft Graph PowerShell. While there may be cleaner methods, this approach worked for me.

If the value to retrieve from Entra ID (Azure AD) is the unique identifier of your user in local AD, also known as ImmutableId, make sure to retrieve it in its Base64 encoded format, as it appears in the left side of the conflict management window. It looks something like this: 6PicGygF50QtmxjSYa25og== Otherwise, you'll need to convert it from your local AD guid using this method:

Retrieve the objectGuid of your user, in this case John Doe:

Get-ADUser john.doe | fl userPrincipalName,objectGuid
userPrincipalName : ******@myowncompany.com
objectGuid        : f7cc05d7-7c15-247d-523d-c01b0e4a6e38

Then run the conversion:

[Convert]::ToBase64String([guid]::New("f7cc05d7-7c15-247d-523d-c01b0e4a6e38").ToByteArray())
1wXM9xV8fSRSPcAbDkpuOA==

I'll continue with my example of a conflict and missing ImmutableId attribute on my user John Doe's account.

First, install the Microsoft Graph PowerShell connection module:

Install-Module Microsoft.Graph -Force

Add the beta components to get all options:

Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Connect using the 365 tenant admin account:

Connect-MgGraph -Scopes "User.ReadWrite.All"

Now let's try to read the value of the 365 account that's conflicting with a local AD account:

Get-MgUser -UserId "******@myowncompany.com" -Property OnPremisesImmutableId, UserPrincipalName | Format-List UserPrincipalName, OnPremisesImmutableId

The OnPremisesImmutableId value should be empty since the 365 account hasn't received it from the local AD sync.

Get-MgUser -UserId ******@myowncompany.com -Property UserPrincipalName,OnPremisesImmutableId | fl UserPrincipalName,OnPremisesImmutableId

UserPrincipalName     : ******@myowncompany.com
OnPremisesImmutableId :

Now we apply the OnPremisesImmutableId that we retrieved, either from the 365 error console or by calculating it from the local AD user account's objectGuid converted to Base64 as shown above:

Update-MgUser -UserId "******@myowncompany.com" -OnPremisesImmutableId "1wXM9xV8fSRSPcAbDkpuOA=="

If everything is correct, this should work. If not, check your 365 recycle bin again as indicated at the beginning of this message.