Share via

Merging existing AD users in Entra AD

Anonymous
2024-08-23T11:48:06+00:00

I'm hoping to get a little help from the community because I'm running into a road block.

I'm looking to implement a hybrid solution for our Active Directory. There are two purposes for this. Firstly for the single sign on experience between our on-prim exchange server and AD, and our Microsoft 365 cloud based office/teams programs. Right now users basically have two different accounts, that share the same email address, the on-prim and the cloud account.

I setup Azure AD Connect to "sync" my Active Directory to Entra, and it works perfectly as long as the user doesn't already exist in the cloud. For example I have a test user created on my local AD that did not have an office 365 account, and so this user synced up perfectly.

Users that already exist in both locations have errors similar to the following error:

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:{email edited out};]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values. Tracking Id: ffbc3aa2-655c-4a31-b3e9-56034c9abc72 ExtraErrorDetails: [{"Key":"ObjectId","Value":["b8f2ad3a-b354-4c63-8cc6-f8f606ad2ddc"]},{"Key":"ObjectIdInConflict","Value":["cbe9e17c-f53a-42f4-8012-7df672f298b0"]},{"Key":"AttributeConflictName","Value":["ProxyAddresses"]},{"Key":"AttributeConflictValues","Value":["SMTP:{email edited out}"]}]

I looked up the ID's and the ObjectID is for the interal AD User and the ObjectIdInConflict is the Office 365 User. Its correctly associated the two accounts together, it just won't actually do the merge for some reason. To me it says there is a conflict because both accounts have the same email address listed in ProxyAddresses, but shouldn't they match? I have read that the UPN and the proxyAddresses are supposed to match in order for it to know how to associate the two accounts together.

How do I get this Azure AD Connect to correctly merge my accounts?

Thanks,

Jared Jamiel

Microsoft 365 and Office | Install, redeem, activate | For business | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

Anonymous
2024-08-23T12:21:03+00:00

Hi, Jared Jamiel1

Good day!

Thanks for posting into our community.

According to your description, it sounds like you're facing a common issue when trying to merge existing Active Directory (AD) users with Entra AD using Azure AD Connect.

Here are some steps and considerations that might help you resolve this issue:

  1. Soft Matching: This method uses the userPrincipalName (UPN) and primary SMTP address to match on-premises AD users with existing Azure AD users. Ensure that the UPN and primary SMTP address in your on-premises AD match those in Azure AD. You can enable soft matching by running the following PowerShell command: 
    Set-MsolDirSyncFeature -Feature EnableSoftMatchOnUpn -Enable $true
  2. Hard Matching: If soft matching doesn't work, you can use hard matching by setting the ImmutableID attribute in Azure AD to match the on-premises AD object. This can be done using the following PowerShell commands: 
    # Get the ImmutableID of the on-premises AD user
$OnPremUser = Get-ADUser -Identity "username" -Properties ObjectGUID
$ImmutableID = [System.Convert]::ToBase64String($OnPremUser.ObjectGUID.ToByteArray())

# Set the ImmutableID in Azure AD
Set-MsolUser -UserPrincipalName "******@domain.com" -ImmutableId $ImmutableID
  3. ProxyAddresses Conflict: The error message indicates a conflict with the ProxyAddresses attribute. Ensure that there are no duplicate values in the ProxyAddresses attribute in your on-premises AD. You may need to remove or correct these duplicate values.
  4. Clear ImmutableID: If there are existing conflicts, you might need to clear the ImmutableID property in Azure AD for the conflicting object before attempting to merge. This can be done using the following PowerShell command: 
    Set-MsolUser -UserPrincipalName "******@domain.com" -ImmutableId "$null"
  5. Documentation and Community Resources: Refer to the official Microsoft documentation and community forums for additional guidance and troubleshooting steps. Here are some useful links:

If these steps do not resolve the issue, you might want to consider reaching out to Microsoft Azure Support for further assistance. They can provide more detailed troubleshooting based on your specific situation - Search | Microsoft Learn.

Thanks for your precious time and your understanding would be highly appreciated.

Hope you all the best!

Microsoft Community Moderator.

Was this answer helpful?

3 people found this answer helpful.
0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-10-09T15:28:45+00:00

    The MSOnline module is deprecated, you should expect it to not work at all eventually. Here's what works for us when we encounter this issue:

    Run the following commands in PowerShell on the DC: $OnPremUser = Get-ADUser -Identity "<sAMAccountName of the user>" -Properties ObjectGUID$immutableId = [System.Convert]::ToBase64String($OnPremUser.ObjectGUID.ToByteArray())You can check to make sure this worked by just running $immutableId and it should give you the stringNext, you'll need to install the MgGraph Powershell module if you haven't already.Install-Module Microsoft.Graph -Scope CurrentUserConnect-MgGraph -Scopes User.ReadWrite.AllUpdate-MgUser -UserId "<UPN of the 365 user>" -OnPremisesImmutableId $immutableIdRun a delta sync and check to make sure the user is synced in the Sync Service Manager.  You can confirm by checking in the 365 admin portal.

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Anonymous
    2024-08-26T11:49:39+00:00

    [ Set-MsolDirSyncFeature -Feature EnableSoftMatchOnUpn -Enable $true] seems to have done the trick!

    It looks like new OUs that I add to the sync are syncing correctly this time around.

    I do still have one issue. The user that I was trying to sync before I ran the above code is still not syncing. Is there a way to get this user to work in the same way?

    Thanks,

    Jared Jamiel

    Was this answer helpful?

    0 comments