3

I have a weird ADSync error stating that my local active directory contains two objects with the same ProxyAddress property. One of accounts is username@domain.tld (which is correct) and the second is username@domain.onmicrosoft.com (which is inexistent in AD in my opinion) - and, according to DirSync errors report, both of them contain the same conflicting ProxyAddress username@domain.tld. AzureAD shows that both accounts source from local Active Directory. The point is that someone could create *onmicrosoft.com account years ago to test office365.

I have checked two things so far:

  1. Small powershell script to test for the same proxyaddress in local AD:
Get-ADUser -Filter * -Properties proxyAddresses | foreach {
    foreach($address in $_.proxyAddresses) {
        if ($address -eq 'smtp:username@domain.tld') {
            Write-Host $address
        }
    }
 }
  1. Checking for immutableIDs of conflicting accounts:
$user = Get-ADUser legit_account
$immutableid = [System.Convert]::ToBase64String($user.ObjectGUID.tobytearray())
$immutableid #shows the same as legit account in DirSync report

$badImmutableID = 'base64 copied from bad account DirSync error report=='


$users = get-aduser -Filter *
foreach ($usr in $users) {
    $currImmutableID = [System.Convert]::ToBase64String($usr.ObjectGUID.tobytearray())
    if ($currImmutableID -eq $badImmutableID) {
        $usr
    }
}

This script provides no output with bad immutableID (but works with others).

I am actually stuck at this point - AzureAD won't let me delete bad account to resolve conflict saying I have to solve it in local AD while there is no such account. Any ideas would be highly appreciated.

Cyrill U
  • 68
  • 2
  • 6

1 Answers1

3

You need to disable the AD synchronization before deleting that bad account,

Step 1 – Install the Azure Active Directory Module for Windows PowerShell

Install-Module -Name MSOnline
Install-Module -Name AzureAD

Step 2 – Connect to Azure AD

Connect-MsolService

Step 3 – Disable Directory Synchronization

Set-MsolDirSyncEnabled –EnableDirSync $false

Step 4 – Check Directory Synchronization Status

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

Continue to run this cmdlet periodically until it returns False, and then go to the next step. Note that Azure AD won't be usable during this period of time.

Step 5 – Delete the orphaned object

Remove-MsolUser -UserPrincipalName user@domain.onmicrosoft.com

Step 6 – Enable Directory Synchronization

Set-MsolDirSyncEnabled -EnableDirSync $true

More info here: You can't manage or remove objects that were synchronized through the Azure Active Directory Sync tool

Edit: - WARNING: As pointed out by Cyrill U, enabling synchronization again can take up to 72 hours, so that has to be taken into account before this procedure.

More info: Directory synchronization for Office 365, Azure, or Intune can't be activated or deactivated

Gabriel Talavera
  • 1,367
  • 1
  • 11
  • 18
  • 1
    Thank you. At least it worked to step 5 - now I'm waiting to enable DirSync back at "You cannot turn off synchronization" error. Probably we should add a notification to someone who could also find the solution that MS won't allow turning DirSync on right after it has been turned off according to this: https://support.microsoft.com/en-us/help/2654338/directory-synchronization-for-office-365-azure-or-intune-can-t-be-acti – Cyrill U May 24 '20 at 09:16
  • You are absolutely right, I'll update the answer to reflect that caveat! – Gabriel Talavera May 24 '20 at 17:03