If your system uses AADDS for authentication, Azure AD Connect is a great way to improve the user experience in corporate environments. Unfortunately, this quite new successor to DirConnect doesn’t always get things right and you might end up with duplicate content in your Azure / O365 tenant.
When you deploy AD Connect in an established business, it is often the case that the legacy cloud accounts (Office 365 users) do not match usernames in AD database. The best practice is to streamline all usernames across both environments (Azure and on-prem), but in reality it’s not always that easy.
Many folks decide to use “mail” as the synchronization UserPrincipalName. In fact, this is a Microsoft recommended approach – but in some cases it fails to recognize existing cloud users by their email. Human errors are also common: from providing aliases instead of O365 usernames to AD User accounts without email address filled in, it’s not that difficult to end up with duplicated users in your Azure ledger.
These “ghost” AD accounts cannot be removed using you usual Office 365 portal, because they are “in sync”, meaning managed by the AD Connect service. The fix is quite simple.
First, fix the AD database (i.e. correct or fill in the missing email address).
Then, connect to Azure with PowerShell:
Let’s grab our usernames as variables, for readability and usability:
$adu = "tom.pawelek" $azx = "[email protected]" $azu = "[email protected]"
In the example above the variables are:
- $adu – local AD username
- $azx – ghost O365 account (typically $adu + on-prem domain)
- $azu – the target (currently unmatched) O365 account, portal sync status should read “cloud” for this entity
Finally, we can correct the Azure records. The script below will remove our ghost account from the cloud, calculate our target’s AD immutable ID and finally set the target O365 account’s properties to use this newly calculated ID during synchronization.
Remove-MsolUser -UserPrincipalName $azx Remove-MsolUser -UserPrincipalName $azx -RemoveFromRecycleBin $immutableID=[system.convert]::ToBase64String(((GET-ADUser $adu).Objectguid).tobytearray()) Set-MsolUser -UserPrincipalName $azu -ImmutableId $immutableID
For AD Connect, this is as unambiguous as it gets.