question

RJRiemensnider-3942 avatar image
0 Votes"
RJRiemensnider-3942 asked sikumars rolled back

AD Sync issues with previously dirsyced account

We are trying to add a team room to an exchange room resource. There is an Azure AD user associated with the room resource. In order to be able to have the room log in, we usually create a corresponding AD user and AADConnect link's the AD user with the Azure user no problem. I'm not sure what happened here but the process failed and we had to delete the AD account and re-create it. The problem is that now the Azure account is in an odd state. Instead of linking to the existing Azure user account, a new account is generated and the existing Azure account shows that it is not 'Directory Synced' however, I cannot do a password change on it and is says that it is synced with AD or Federated. How do I view/edit the status od the Azure account and allow this account to be linked to AD? I suspect maybe there is a fields populated that needs to be cleared out, maybe the UUID of the original?

azure-active-directory
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Or would this be an issue with AADConnect?

0 Votes 0 ·

I see that The AD user account info has:

"dirSyncEnabled" set to False and not $null and it has an immutableID set. I'm trying to change these attributes but no luck with Set-AzureADUser or Set-MsolUser. How do I edit these?

0 Votes 0 ·

Hi @RJRiemensnider-3942, Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.

0 Votes 0 ·

1 Answer

sikumars avatar image
0 Votes"
sikumars answered sikumars rolled back

Hello @RJRiemensnider-3942,

Thank you for reaching out, and apologies for the delayed response.

When you create a new user account in AD, users get a new Object-ID, which is known as an ImmutableId in the cloud (here is detailed explanation of how conversion happens from ObjectGuid to ImmutableId) so that if you compare Immutable ID of old account with the new account in cloud, you will not find them identical, which is why account merging did not occur. In such cases, you must follow the steps below to merge an on-premises account with an existing account in cloud.

Note: This action plan is only suitable with Azure AD Connect (version 1.1.524.0 and later), which supports the use of the ms-DS-ConsistencyGuid attribute as the sourceAnchor attribute. More information may be found here.

Steps in brief, copy the Immutable ID of the old account from Azure AD, convert it to a string value, and then update this value in the "ms-ds-consistency-guid" attribute property of the newly created account in on-premises AD, followed by manually deleting of the newly linked account in Azure AD.

Steps in Detail:

  • To begin, Disable the scheduler on Azure AD connect server while doing the following actions.

  • Copy immutable ID of old account from Azure AD using Get-MsolUser -UserPrincipalName <NewUserUPN> | select UserPrincipalName, ImmutableId and then covert Immutable ID to Object GUID using [Guid]([Convert]::FromBase64String("1wfM9xV8fUSHbcAbDlqeOA==")) to set this value in the "ms-ds-consistency-guid" attribute property of the newly created account in on-premises AD or alternative use following cmdlet on sync server Set-ADSyncToolsMsDsConsistencyGuid -Identity 'CN=User1,OU=Sync,DC=Contoso,DC=com' -Value '1wfM9xV8fUSHbcAbDlqeOA== which update immutable ID value in the "ms-ds-consistency-guid" attribute property .

  • Log in to the Azure portal and remove the new account from Azure AD. This deleted account is now in a 'soft deleted condition' under "deleted users" in AAD and must be deleted as well. Alternatively, you can also use this cmdlet to delete user accounts from Azure AD and the Recycle Bin: 'Remove-MsolUser -UserPrincipalName UPN' & 'Remove-MsolUser -UserPrincipalName UPN -RemoveFromRecycleBin'.

  • Start the scheduler on the Azure AD connect server, wait for the sync cycle to begin, and check to see if the new account in AD is linked to the old account in Azure AD.

I hope this was helpful.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.