Recently I came across a situation with our Office 365 tenant deployment where a cloud user was created before we configured and ran Azure ADSync at the on premise Active Directory. Please note that we already had a matching on premise Active Directory user object with similar attributes. This resulted in an error after attempting to synchronize my on premise Active Directory with Office 365.Since Office 365 tools seem to be evolving very quickly, I’ll go ahead and list the tools I’m using at this time. My chosen deployment model is the Synchronized Identity model. The links are subject to change by Microsoft at anytime:
a) Microsoft Azure Active Directory Sync Services .Allows you to onboard to Azure Active Directory and Office 365.
b) IdFix DirSync Error Remediation Tool. This tool is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Office 365. IdFix is intended for the Active Directory administrators responsible for DirSync with the Office 365 service.
c) Microsoft Online Services Sign-In Assistant for IT Professionals RTW. This tool provides end user sign-in capabilities to Microsoft Online Services, such as Office 365.
d) Azure Active Directory Module for Windows PowerShell (64-bit version). As of this post, the 32 bit version of this tool has been discontinued by Microsoft.
Below is a screenshot of the error :
The error is a result of having a duplicate cloud and on premise AD object with matching attributes. To resolve the problem, I had to set the duplicate cloud identity with an immutableID value that matches the ObjectGuid of the on premise user object. The immutableID value can be retrieved by converting the Objectguid value of the matching on premise Active Directory user object.
1) Connect to the Office 365 online Service using the following PowerShell cmdlet:
Connect-MsolService
2) Get the ObjectGuid property for the on premise AD user and assign it to a $guid PowerShell variable:
3) Use the ToBase64String() method of the System.Convert class to convert the ObjectGuid value to the ImmutableID value:
$immutableid=[System.Convert]::ToBase64String($guid.tobytearray())
4) Use the new Immutable ID value to set the cloud property of the duplicate cloud identity:
Set-MsolUser -UserPrincipalName philip.snyder@genesysconsults.net -ImmutableId $immutableid
5) Manually run the ADSync tool . Navigate to the ADSync installation folder and run the cmd line tool: DirectorySyncClientCmd
6) Verify the cloud identity to make sure the status of the user has changed to “Synced with Active Directory” .
Usually, cloud identities that do not have an immutable id value are not synchronized with the on premise Active Directory.
Chinny Chukwudozie, Cloud Solutions. 
Pingback: Configuring Hybrid Configuration on Exchange Server 2010 SP3 for Migration to Office 365 (Exchange Online). | chinny chukwudozie,it pro
I created a desktop tool to convert from objectGUID and Azure ImmutableID
http://ammarhasayen.com/2015/08/20/azure-guid-to-immutableid-and-vise-versa-desktop-app/
I checked it out. Good stuff.
Hi, with new AD Connect version now it use mS-DS-ConsistencyGuid instead of objectGUID so how can we get ImmutableID?
Here is a bit of code to check your entire environment for mismatches:
https://github.com/Nathanac/PowerShell/blob/master/ImmutableId-Mismatch-Finder.ps1
Thanks for sharring this