AD Sync issues with previously dirsyced account

RJ Riemensnider 1 Reputation point
2022-04-28T15:17:39.083+00:00

We are trying to add a team room to an exchange room resource. There is an Azure AD user associated with the room resource. In order to be able to have the room log in, we usually create a corresponding AD user and AADConnect link's the AD user with the Azure user no problem. I'm not sure what happened here but the process failed and we had to delete the AD account and re-create it. The problem is that now the Azure account is in an odd state. Instead of linking to the existing Azure user account, a new account is generated and the existing Azure account shows that it is not 'Directory Synced' however, I cannot do a password change on it and is says that it is synced with AD or Federated. How do I view/edit the status od the Azure account and allow this account to be linked to AD? I suspect maybe there is a fields populated that needs to be cleared out, maybe the UUID of the original?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,438 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,546 Reputation points
    2022-05-04T17:01:57.087+00:00

    Hello @RJ Riemensnider ,

    Thank you for reaching out, and apologies for the delayed response.

    When you create a new user account in AD, users get a new Object-ID, which is known as an ImmutableId in the cloud (here is detailed explanation of how conversion happens from ObjectGuid to ImmutableId) so that if you compare Immutable ID of old account with the new account in cloud, you will not find them identical, which is why account merging did not occur. In such cases, you must follow the steps below to merge an on-premises account with an existing account in cloud.

    Note: This action plan is only suitable with Azure AD Connect (version 1.1.524.0 and later), which supports the use of the ms-DS-ConsistencyGuid attribute as the sourceAnchor attribute. More information may be found here.

    Steps in brief, copy the Immutable ID of the old account from Azure AD, convert it to a string value, and then update this value in the "ms-ds-consistency-guid" attribute property of the newly created account in on-premises AD, followed by manually deleting of the newly linked account in Azure AD.

    Steps in Detail:

    • To begin, Disable the scheduler on Azure AD connect server while doing the following actions.
    • Copy immutable ID of old account from Azure AD using Get-MsolUser -UserPrincipalName <NewUserUPN> | select UserPrincipalName, ImmutableId and then covert Immutable ID to Object GUID using [Guid]([Convert]::FromBase64String("1wfM9xV8fUSHbcAbDlqeOA==")) to set this value in the "ms-ds-consistency-guid" attribute property of the newly created account in on-premises AD or alternative use following cmdlet on sync server Set-ADSyncToolsMsDsConsistencyGuid -Identity 'CN=User1,OU=Sync,DC=Contoso,DC=com' -Value '1wfM9xV8fUSHbcAbDlqeOA== which update immutable ID value in the "ms-ds-consistency-guid" attribute property .
    • Log in to the Azure portal and remove the new account from Azure AD. This deleted account is now in a 'soft deleted condition' under "deleted users" in AAD and must be deleted as well. Alternatively, you can also use this cmdlet to delete user accounts from Azure AD and the Recycle Bin: 'Remove-MsolUser -UserPrincipalName UPN' & 'Remove-MsolUser -UserPrincipalName UPN -RemoveFromRecycleBin'.
    • Start the scheduler on the Azure AD connect server, wait for the sync cycle to begin, and check to see if the new account in AD is linked to the old account in Azure AD.

    I hope this was helpful.

    -----
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments