In some cases, you will see double accounts in Azure AD:
As you see, there are two accounts for the user Lene Hau:
- One account is a cloud-only account with an Exchange Online mailbox
- The other is synchronized from an on-premises AD account and has no Exchange Online mailbox
The cause of this scenario varies, but quite often, it happens if you created Office 365 user accounts before implementing Azure AD Connect.
If your on-premises AD user account cannot soft-match with the Azure AD account during the initial sync, a new account is created instead.
We’ve seen different root causes of this issue, e.g., having migrated emails from a non-Exchange system to Office 365 before implementing Azure AD Connect.
How to Merge Double Office 365 User Accounts
To fix this problem, follow these seven steps to keep the naming convention of your synchronized on-premises account and, at the same time, keep the Office 365 mailbox associated with the cloud-only account.
1. Ensure that UPN and proxyAddresses are configured properly on-premises
Before you match the on-premises user account with the cloud-only mailbox-enabled Azure AD account, you need to review the UPN and proxyAddresses of the on-premises account.
When you link the on-premises account with the cloud-only account, the proxyAddresses from the on-premises account will replace the proxyAddresses of the cloud-only account.
So, make sure the on-premises account is in perfect shape before continuing.
2. Get the ImmutableId of the synchronized account
We need the ImmutableId that corresponds to the on-premises account in order to match the on-premises account with the mailbox-enabled cloud-only account that we want to preserve.
Use the following command to retrieve the ImmutableId:
(Get-MsolUser -UserPrincipalName email@example.com).ImmutableId
The result may look like this:
PS C:\> (Get-MsolUser -UserPrincipalName firstname.lastname@example.org).ImmutableId TlNJ14afp0S1cmvntTssqQ==
3. Move the AD user out of replication scope and replicate Azure AD Connect
To soft-delete the synchronized account from Azure AD, we need to move the on-premises account into an OU that is not part of the replication scope of Azure AD Connect.
(review the Azure AD Connect configuration if you’re unsure how your synchronization scope is configured).
Afterward, to synchronize the change to Azure AD, you can use Easy365Manager to easily start the synchronization directly from AD Users & Computers:
If you don’t have Easy365Manager, you must use PowerShell to force the synchronization.
4. Wait for soft deletion of the user in Azure AD and then hard-delete the user
Use the following command to hard-delete the soft-deleted synchronized user account:
Get-MsolUser -UserPrincipalName email@example.com -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force
5. Rename the Azure AD user which holds the mailbox
Use the following command to rename the cloud-only user account:
Set-MsolUserPrincipalName -UserPrincipalName firstname.lastname@example.org -NewUserPrincipalName email@example.com
6. Set the ImmutableId on the Azure AD user
Use the following command to configure the ImmutableId of the cloud-only account:
Set-MsolUser -UserPrincipalName firstname.lastname@example.org -ImmutableId "TlNJ14afp0S1cmvntTssqQ=="
7. Move the AD user back into the replication scope and replicate Azure AD Connect
After a few minutes, the AD account is linked with the Azure AD account, and the sync status changes from cloud-only to synchronized.
Everything should look clean and nice now:
How to Manage Office 365 User Accounts
Many admins are frustrated by the many different web consoles needed for simple Office 365 management tasks.
Additionally, you need PowerShell for some tasks like calendar delegation.
That’s why we created Easy365Manager.
Easy365Manager is a snap-in to AD Users & Computers that lets you perform all daily Office 365 tasks from the well-known GUI of AD Users & Computers.
Even calendar rights are easily managed from the two new tabs on user properties:
With Easy365Manager, you can offload complex tasks (that usually would require PowerShell) to first-level support in a few minutes.
As a bonus, it’s possible to altogether remove your on-premises Exchange Server. This will give you 100% protection from future zero-day exploits like Hafnium.
Download the 30-day trial to try out the many features.