Fixing Office 365 Azure AD Sync issues
Symptoms:You have synced the AD users, but you have duplicates or two of a similar user (reception@ and receptionist@). You try to edit the UPN of either user and you receive an error saying that the attribute must be unique.
On the sync service you get an error saying the attribute(usually the UPN) must be unique.
Background:UPN = username (and usually email address)
ImmutableID (anchor) = used to link an AD user to an Office 365 user (after UPN matching)
In AD there exists an account with a UPN: email@example.com
In Office 365 there exists an account with a UPN: firstname.lastname@example.org
These two accounts are the same user, but their O365 email address does not match up with their UPN (not usually a problem, but during the initial sync it is)
The problem:The AD sync service is started and AD users are synced with Office 365 users.
You log into Office 365 and see two users now: email@example.com(unlicensed) and firstname.lastname@example.org(licensed)
You try to un-sync email@example.com and change the UPN of mail1, but the next time you run the sync you get an "attribute must be unique" error or you get a duplicate again.
What happened?When you synced the AD user firstname.lastname@example.org AD sync did not find a user "email@example.com" in Office 365 so it created a new user. When you un-sync the user it is moved to the Azure recycle bin so it still exists. You will be able to set the UPN of firstname.lastname@example.org to email@example.com, but the sync will still not work because there already exists an O365 user anchored to firstname.lastname@example.org.
- You are seeing two Office 365 accounts for the same user (email@example.com and firstname.lastname@example.org), one is "Online only" and the other is "Synced with Active Directory"
- It could also be like the screenshot below where one of them has a .onmicrosoft.com email
- Only email@example.com should exist
- Delete the "synced with Active Directory"(firstname.lastname@example.org) account and hard match the AD account with the one in 365 (email@example.com) which presumably has all the mail data.
- Computer with Powershell 5.0+ and the Active Directory RSAT tools (doesn't have to be your domain controller)
- Access to the computer with Azure AD Connect installed
Follow the following steps exactly. Do not skip around.
- Un Sync the AD user
- Move the problem user to an OU that is not being synced with Azure (you will need to modify your config if you are syncing all OUs)
- Run an Azure Sync Cycle
- The user should now show up as deleted on Office 365
- Install the MSOL powershell module
- Install-Module MSOnline
- Import-module MSOnline
- Permanently delete the problem user from 365
- Get-MsolUser -UserPrincipalName firstname.lastname@example.org -ReturnDeletedUsers | Remove-MSOLUser -RemoveFromRecycleBin
- The user should disappear from 365 within the next few minutes
- Manually Match the AD user with the 365 user
- Run this script
- The unique ID of the two users will now match (you won't see this anywhere in the UI)
- Sync the AD user again
- Move the user back into a synced OU and run another sync cycle
- Almost done
- At this point you should see a single user on 365 that shows up as "Synced with Active Directory" with a UPN of email@example.com
- Fixing the UPN
- You may notice that the UPN of the mailbox is the same as the one in AD; if this is your intention then you are done.
- However, if your user's email address and AD username don't match then you will need to change the UPN of the 365 account.
- Set-MsolUserPrincipalName -UserPrincipalName firstname.lastname@example.org -NewUserPrincipalName email@example.com