Hello @RJ Riemensnider ,
Thank you for reaching out, and apologies for the delayed response.
When you create a new user account in AD, users get a new Object-ID, which is known as an ImmutableId in the cloud (here is detailed explanation of how conversion happens from ObjectGuid to ImmutableId) so that if you compare Immutable ID of old account with the new account in cloud, you will not find them identical, which is why account merging did not occur. In such cases, you must follow the steps below to merge an on-premises account with an existing account in cloud.
Note: This action plan is only suitable with Azure AD Connect (version 1.1.524.0 and later), which supports the use of the ms-DS-ConsistencyGuid attribute as the sourceAnchor attribute. More information may be found here.
Steps in brief, copy the Immutable ID of the old account from Azure AD, convert it to a string value, and then update this value in the "ms-ds-consistency-guid" attribute property of the newly created account in on-premises AD, followed by manually deleting of the newly linked account in Azure AD.
Steps in Detail:
- To begin, Disable the scheduler on Azure AD connect server while doing the following actions.
- Copy immutable ID of old account from Azure AD using
Get-MsolUser -UserPrincipalName <NewUserUPN> | select UserPrincipalName, ImmutableId
and then covert Immutable ID to Object GUID using[Guid]([Convert]::FromBase64String("1wfM9xV8fUSHbcAbDlqeOA=="))
to set this value in the "ms-ds-consistency-guid" attribute property of the newly created account in on-premises AD or alternative use following cmdlet on sync serverSet-ADSyncToolsMsDsConsistencyGuid -Identity 'CN=User1,OU=Sync,DC=Contoso,DC=com' -Value '1wfM9xV8fUSHbcAbDlqeOA==
which update immutable ID value in the "ms-ds-consistency-guid" attribute property . - Log in to the Azure portal and remove the new account from Azure AD. This deleted account is now in a 'soft deleted condition' under "deleted users" in AAD and must be deleted as well. Alternatively, you can also use this cmdlet to delete user accounts from Azure AD and the Recycle Bin: 'Remove-MsolUser -UserPrincipalName UPN' & 'Remove-MsolUser -UserPrincipalName UPN -RemoveFromRecycleBin'.
- Start the scheduler on the Azure AD connect server, wait for the sync cycle to begin, and check to see if the new account in AD is linked to the old account in Azure AD.
I hope this was helpful.
-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.