ADConnect does not allow soft-matching of user accounts which have administrative roles in AzureAD/Office 365 and will create new/separate accounts if you try and sync them up from on-premises Active Directory. There is a workaround however which involves hard matching the accounts using the on-premises objectGUID property.
Run the following command in PowerShell (replace the svc_spo with part or all of the username of the account you’re looking for):
ldifde -f C:\users\username\desktop\user-export.txt -r "(Userprincipalname=svc_spo*)" -l "objectguid,userPrincipalName"
- Open then user-export.txt file and you’ll be able to see the objectGUID of the account
- Now return to PowerShell and run “Connect-MsolService” and login with an account that has the global administrator role
Run the following command against the account that you’re lookin to sync your on-prem account to in AzureAD/Office 365. This will confirm you’ve got the right account
Get-MsolUser -UserPrincipalName svc_sponlinebackup@domain.onmicrosoft.com
Now copy the “objectGUID” from the export you took earlier and return to PowerShell and run the following command:
Set-MsolUser -UserPrincipalName svc_sponlinebackup@domain.onmicrosoft.com -ImmutableId hAi`2`h`1`u`u`O8wTt/Ig==
Return to the AzureAD connect server and run another Delta sync to Office 365 and you should see the two accounts are now merged1Start-AdSyncSyncCycle Delta
If you run into any issues, here are some things you can check:
An account has already been created with the objectGUID in AzureAD/Office 365. The following command will give you the account name.
Get-MsolUser | Where-Object {$_.ImmutableId -eq "zxG`O`O`d`i`MtgkOsuvKA=="} | select UserPrincipalName
The account existed but has since been soft-deleted from AzureAD/Office 365. The following command will show you whether any accounts exist in the soft-deleted status and you can then run the second command to remove the account.
Get-MsolUser -ReturnDeletedUsers
Remove-MsolUser -UserPrincipalName svc_sponlinebackup@domain.com.au -RemoveFromRecycleBin