When AD -> Azure Sync Fails for a User

article #1417, updated 30 days ago

There are many ways of doing this. Here is one way to bring everything into a single consistent behavior, a landing place from which you can vary slightly at need.

This presumes that you have Azure/AD sync installed and working in general, and yielding errors in the Synchronization Service window for one or more users. Make sure that you don’t have duplicate email addresses in AD, that could be bad.

The first steps are in Active Directory Users and Computers.

  1. Set the user’s email correctly in his/her AD object, in “E-mail” under General.
  2. Set proxyAddresses in the Attribute Editor. The primary email address has to be the same, and in proxyAddresses has to be of the format “SMTP:email@domain.com”. There can be others in proxyAddresses but smtp must be lowercase. Also in proxyAddresses, set mailNickname blank.
  3. Under Account, either the user login name plus the dropdown domain is to be the same as the above, or it is to be a valid login according to the O365 console. If the dropdown domain list is local only, you can add the Internet domain list in Active Directory Domains and Trusts, with a right-click on the root level in the left pane of that window, and then an add of one or more alternative UPN suffixes. Then restart ADUC and the domain(s) you just added will be available in the dropdown.

Now we do some other things.

  1. Run Azure/AD sync, this is CMD, do it as administrator:
repadmin /syncall /AdeP
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command ^
"Import-Module ADSync; Start-ADSyncSyncCycle -PolicyType Delta"
  1. If you see errors in the Synchronization Service window, run something called a “hard match”, which changes enough to connect the AD user of that email address, with the Azure user of that email address. Here’s a script for it, Powershell; you’ll need to log into the O365 tenant. Note that while $AzureUPN is the O365 “primary email address”, $ADUPN is the double item under Profile in AD, the username plus the domain dropdown.
$AzureUPN = "user_email_on_azure@domain.com"
$ADUPN = "user_login_in_ad@domain.com"

"First connect to AzureAD:"

"Now get Azure ImmutableID:"
$AzureUser = Get-AzureADUser -SearchString $AzureUPN
"Extracting AD GUID..."
ldifde -f export.txt -r "(Userprincipalname=$ADUPN)" -l *
$ADGUID = (-split (type export.txt | select-string "ObjectGUID"))[1]
"Extracted AD GUID:"
Set-AzureADuser -ObjectID $AzureUser.ObjectID -ImmutableID $ADGUID

"New Azure ImmutableID re-extracted for confirmation:"
$AzureUser = Get-AzureADUser -SearchString $AzureUPN