How to clear all On-premises attributes from previously synchronized Azure AD users

Denis Debijađi 20 Reputation points
2023-06-20T11:34:00.3166667+00:00

Hi,

Three years ago, we made a cut over to an on-premises domain with our Azure AD in order to have a cloud-only setup. Now we need to synchronize with the new Active Directory infrastructure and the new on-premises domain. Users in Azure AD that were synchronized from the old domain still have on-premises attributes, and Azure AD cannot synchronize them with users in the new on-premises domain because it obviously sees them as if they are already synchronized with a domain. I was trying to merge users, but it just tells me The fix process failed to update the values without any additional explanation. I also tried to make a hard match, but it just created a cloned user for me. Is there a way to delete those on-premises attributes or somehow force the merging of those users? Disputed attributes whose value still points to the wrong domain:

On-premises distinguished name

Extension attributes

On-premises immutable ID (changed after hard match attempt)

On-premises SAM account name

On-premises domain name

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,652 questions
Microsoft Exchange Hybrid Management
Microsoft Exchange Hybrid Management
Microsoft Exchange: Microsoft messaging and collaboration software.Hybrid Management: Organizing, handling, directing or controlling hybrid deployments.
2,136 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,137 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Jarvis Sun-MSFT 10,196 Reputation points Microsoft Vendor
    2023-06-21T06:29:18.5066667+00:00

    Hi Denis Debijađi ,

    Thanks for your posting in our Q&A forum. Unfortunately, this information cannot be cleared using PowerShell or Graph. You can create an Azure AD Support ticket requesting to clear all On-Premises Attributes from previously synchronized users on your tenant. Support Team should be able to contact product group with your tenant information and help you achieve this.

    Related thread: https://learn.microsoft.com/en-us/answers/questions/1058618/leftover-items-from-azure-ad-sync


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

  2. areels 0 Reputation points
    2024-07-24T13:01:43.7733333+00:00

    I have just discussed with Microsoft engineer about this issue.

    It's true that it's possible to request deletion of these attributes from microsoft but only if dirsync is turned off.

    So if you're converting users to cloud only by deleting and restoring from azure ad, keep in mind that it's not officially supported way to do so.

    What needs to be done is turning of dirsync, that's the proper way of converting users to cloud only. But in this case it will happen for all users, so you can't convert users to cloud only one by one. it has to be all or none.

    By the way, new graph beta can finally see these attributes but can't delete because they're read only.

    This script will show the attributes and then fail to delete

    Update-MgBetaUser_UpdateExpanded: Property 'onPremisesSamAccountName' is read-only and cannot be set. Status: 400 (BadRequest) ErrorCode: Request_BadRequest Date: 2024-07-23T21:40:28 Headers: Cache-Control : no-cache Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000

    
    # Install the experimental Graph SDK module
    Install-Module -Name Microsoft.Graph.Beta -AllowClobber
    # Import the module
    Import-Module Microsoft.Graph.Beta
    # Connect to the Graph Beta environment
    Connect-MgGraph -Scopes "User.ReadWrite.All"
    
    $user = Get-MgBetaUser -UserId "user@domain.com"
    $user | Select-Object -Property OnPremisesSamAccountName, OnPremisesUserPrincipalName, OnPremisesDomainName, OnPremisesSecurityIdentifier, OnPremisesImmutableId
    
    
    # Update the user attributes
    Update-MgBetaUser -UserId $userId -OnPremisesSamAccountName $null -OnPremisesUserPrincipalName $null -OnPremisesSecurityIdentifier $null
    
    
    
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.