How to Connect an Exchange Online Mailbox to Another Account

How to merge two Office 365 user accounts

In some cases, you will see double accounts in Azure AD:

As you see, there are two accounts for the user Lene Hau:

  • One¬†account is a cloud-only account with an Exchange Online mailbox
  • The other is synchronized from an on-premises AD account and has no Exchange Online mailbox

The cause of this scenario varies, but quite often, it happens if you created Office 365 user accounts before implementing Azure AD Connect.

If your on-premises AD user account cannot soft-match with the Azure AD account during the initial sync, a new account is created instead.

We’ve seen different root causes of this issue, e.g., having migrated emails from a non-Exchange system to Office 365 before implementing Azure AD Connect.

How to Merge Double Office 365 User Accounts

To fix this problem, follow these seven steps to keep the naming convention of your synchronized on-premises account and, at the same time, keep the Office 365 mailbox associated with the cloud-only account.

1. Ensure that UPN and proxyAddresses are configured properly on-premises

Before you match the on-premises user account with the cloud-only mailbox-enabled Azure AD account, you need to review the UPN and proxyAddresses of the on-premises account.

When you link the on-premises account with the cloud-only account, the proxyAddresses from the on-premises account will replace the proxyAddresses of the cloud-only account.

So, make sure the on-premises account is in perfect shape before continuing.

2. Get the ImmutableId of the synchronized account

We need the ImmutableId that corresponds to the on-premises account in order to match the on-premises account with the mailbox-enabled cloud-only account that we want to preserve.

Use the following command to retrieve the ImmutableId:

(Get-MsolUser -UserPrincipalName

The result may look like this:

PS C:\> (Get-MsolUser -UserPrincipalName

3. Move the AD user out of replication scope and replicate Azure AD Connect

To soft-delete the synchronized account from Azure AD, we need to move the on-premises account into an OU that is not part of the replication scope of Azure AD Connect.

(review the Azure AD Connect configuration if you’re unsure how your synchronization scope is configured).

Afterward, to synchronize the change to Azure AD, you can use Easy365Manager to easily start the synchronization directly from AD Users & Computers:

If you don’t have Easy365Manager, you must use PowerShell to force the synchronization.

4. Wait for soft deletion of the user in Azure AD and then hard-delete the user

Use the following command to hard-delete the soft-deleted synchronized user account:

Get-MsolUser -UserPrincipalName -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force

5. Rename the Azure AD user which holds the mailbox

Use the following command to rename the cloud-only user account:

Set-MsolUserPrincipalName -UserPrincipalName -NewUserPrincipalName

6. Set the ImmutableId on the Azure AD user

Use the following command to configure the ImmutableId of the cloud-only account:

Set-MsolUser -UserPrincipalName -ImmutableId "TlNJ14afp0S1cmvntTssqQ=="

7. Move the AD user back into the replication scope and replicate Azure AD Connect

After a few minutes, the AD account is linked with the Azure AD account, and the sync status changes from cloud-only to synchronized.

Everything should look clean and nice now:

How to Manage Office 365 User Accounts

Many admins are frustrated by the many different web consoles needed for simple Office 365 management tasks.

Additionally, you need PowerShell for some tasks like calendar delegation.

That’s why we created Easy365Manager.

Easy365Manager is a snap-in to AD Users & Computers that lets you perform all daily Office 365 tasks from the well-known GUI of AD Users & Computers.

Even calendar rights are easily managed from the two new tabs on user properties:

With Easy365Manager, you can offload complex tasks (that usually would require PowerShell) to first-level support in a few minutes.

As a bonus, it’s possible to altogether remove your on-premises Exchange Server. This will give you 100% protection from future zero-day exploits like Hafnium.

Download the 30-day trial to try out the many features.

Did you like this post? Maybe your friends will too!