Reconnecting a synchronized Entra ID account with a new on-premises Active Directory account

Question

I had an on-premises Active Directory account that was synchronized with Entra ID and was linked with an Entra ID account.

I moved the on-premises Active Directory account out of scope for sync and the Entra ID account was soft-deleted, and its immutable ID was cleared along with all the other on-premises attributes.

The Entra ID account was later restored and the userPrincipalName was changed.

A new on-premises Active Directory account was created with the same userPrincipalName, and it was placed in scope for sync.

The Entra ID account was partially updated with the new on-premises Active Directory account attributes, but the old immutable ID was restored on the Entra ID account and now I see a RedundantSoftDelete error in Connect Sync.

Is it not possible to soft-match an Entra ID account to an on-premises Active Directory account if that Entra ID account was previously synced but soft-deleted and stripped of its previous on-premises attributes?

Answer 1

Hello,

Thanks for your question.

From reviewing the issue, I see the problem lies in that Entra ID account was restored, but its userPrincipalName was changed, and the old immutable ID was retained.

I'd recommend the following:

• Check if the immutable ID in the Entra ID is still referencing the old on-premises AD account. If so, it needs to be updated or removed to match the new account. You can use: https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http
• Once you confirm this, to fix: Set-MsolUser -UserPrincipalName <UPN> -ImmutableId $null
• Rerun sync on Entra Connect

See: https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-install-existing-tenant?source=recommendations

If the above information was helpful please remember to mark 'Accept Answer' and 'Upvote'

Regards,

Abiola