Azure AD Connect Hybrid - Adding a user to local AD which is already present on Azure AD causes a double to appear

Fabio Bologna 0 Reputation points
2023-11-24T17:00:22.6233333+00:00

Hello,

As the title implies, I have an Azure AD already setup for our Office365 subscription in my company.

We are now going through a remodeling of our internal structure both hardware and software so we wanted to perform the hybridization of our Active Directory which was only on-premise up until now.

I managed to set it up mostly with Azure AD Connect V2 but I have 2 accounts which are causing issues...

All other accounts are hybridized correctly.

These 2 on the first attempt just didn't go on because of a non unique SMTP value, which is false because there was no other user with that email address.

The second attempt I deleted the users in on-premise AD, synced up the schema, recreated the users on-premise, and synced up again. This time Azure created 2 new users with the same full name but with a made-up principal.

The sync element in Connect is set to the principal and the principal was the same between the on-premise and azure users already existing, so I don't understand why it created new users instead of connecting the existing ones.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,223 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,556 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Sandeep G-MSFT 16,691 Reputation points Microsoft Employee
    2023-11-27T04:09:40.07+00:00

    @Fabio Bologna

    Thank you for posting this in Microsoft Q&A.

    As I understand you have newly set up hybrid environment in your organization. Everything is working fine except for 2 user accounts. There are 2 new duplicate accounts getting created in Azure AD with unique UPN values.

    This happens whenever there is same proxy address or same UPN values for any other user object in Azure AD.

    This is called as "Duplicate Attribute Resiliency".

    When there is any of the duplicate values found in Azure AD, instead of completely failing to provision or update an object with a duplicate attribute, Microsoft Entra ID “quarantines” the duplicate attribute which would violate the uniqueness constraint. If this attribute is required for provisioning, like UserPrincipalName, the service assigns a placeholder value. The format of these temporary values is
    <OriginalPrefix>+<4DigitNumber>@<InitialTenantDomain>.onmicrosoft.com.

    You can refer below article for more information.

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-syncservice-duplicate-attribute-resiliency#behavior-with-duplicate-attribute-resiliency

    To fix this issue you will have to identify the objects in Azure AD which is stamped with same attribute values as the problematic users.

    You can run below commands in PowerShell to get the object.

    • Open Windows PowerShell as administrator.
    • Run command "Install-Module MSOnline"
    • Connect to Azure AD using below commands.
    • $Msolcred = Get-credential Connect-MsolService -Credential $MsolCred
    • The first command prompts for credentials and stores them as $Msolcred. The next command uses those credentials as $Msolcred to connect to the service. When it prompts for credentials you will have to provide Global admin credentials.

    Now to find the object in Azure AD which which is stamped with same attribute values as the problematic users, you can run below commands one by one,

    Let's consider you have user account with UPN "user@contoso.com" which is not syncing to Azure AD

    • Get-MsolUser -All | where {$.userPrincipalName -like "*user@contoso.com"} Get-MsolUser -All | where {$.proxyAddresses -like "*user@contoso.com"}
    • Get-MsolGroup -All | where {$_.proxyAddresses -like "*user@contoso.com"}

    Note: Run above commands one by one and confirm if you get any result in output.

    If you get any result in output, then this is the object which has same value UPN or proxy address as "user@contoso.com".

    Let me know if you have any further questions on this.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments