Recently I came across a situation with our Office 365 tenant deployment where a cloud user was created before we configured and ran Azure ADSync at the on premise Active Directory. Please note that we already had a matching on premise Active Directory user object with similar attributes. This resulted in an error after attempting to synchronize my on premise Active Directory with Office 365.Since Office 365 tools seem to be evolving very quickly, I’ll go ahead and list the tools I’m using at this time. My chosen deployment model is the Synchronized Identity model. The links are subject to change by Microsoft at anytime:
a) Microsoft Azure Active Directory Sync Services .Allows you to onboard to Azure Active Directory and Office 365.
b) IdFix DirSync Error Remediation Tool. This tool is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Office 365. IdFix is intended for the Active Directory administrators responsible for DirSync with the Office 365 service.
c) Microsoft Online Services Sign-In Assistant for IT Professionals RTW. This tool provides end user sign-in capabilities to Microsoft Online Services, such as Office 365.
d) Azure Active Directory Module for Windows PowerShell (64-bit version). As of this post, the 32 bit version of this tool has been discontinued by Microsoft.
Below is a screenshot of the error :
The error is a result of having a duplicate cloud and on premise AD object with matching attributes. To resolve the problem, I had to set the duplicate cloud identity with an immutableID value that matches the ObjectGuid of the on premise user object. The immutableID value can be retrieved by converting the Objectguid value of the matching on premise Active Directory user object.
1) Connect to the Office 365 online Service using the following PowerShell cmdlet:
2) Get the ObjectGuid property for the on premise AD user and assign it to a $guid PowerShell variable:
3) Use the ToBase64String() method of the System.Convert class to convert the ObjectGuid value to the ImmutableID value:
4) Use the new Immutable ID value to set the cloud property of the duplicate cloud identity:
Set-MsolUser -UserPrincipalName email@example.com -ImmutableId $immutableid
5) Manually run the ADSync tool . Navigate to the ADSync installation folder and run the cmd line tool: DirectorySyncClientCmd
6) Verify the cloud identity to make sure the status of the user has changed to “Synced with Active Directory” .
Usually, cloud identities that do not have an immutable id value are not synchronized with the on premise Active Directory.