AD sync creating onmicrosoft accounts

stichguy · 2019-01-28T08:37:28.000Z

I have correctly installed AD sync to our server and it syncs with office365.

All the users that only had 1 email @company.com moved over correctly and are syncing with on premises.

However all the users with aliases did not move over correctly and got a onmicrosoft.com account on office365.

After going through the forums i found that I need to add their aliases to the attributes tab, which I have now done correctly for all users. I manually removed all the incorrect onmicrosoft accounts and ran another sync.

For some crazy reason it is still not syncing the correct account and creates another default onmicrosoft account.

Is there something i am missing?

ben146 · 2019-01-28T11:19:43.000Z

Is the UPN for the user a .local
Domain?
The attributes ProxyAddress, make sure you have a default smtp address with a routable domain. The default address should have uppercase lettering, for example SMTP:user@domain.com

stichguy · 2019-01-28T12:11:06.000Z

The UPN is @company.com.

The attributes to proxyaddress have been done correctly with SMTP going to primary address and smtp for the aliases.

It still creates the onmicrosoft.com accounts.

da-schmoo · 2019-01-28T12:59:05.000Z

In ADUC, Account tab, is @domain.com selected in the dropdown box to the right of the User Logon Name?

stichguy · 2019-01-28T13:47:13.000Z

yes @domain.com is selected

It is as if I need to completely remove either the AD account or the email on 0365.

i have completely removed the onmicrosoft account with powershell, removed from recycle bin. Removed all aliases from user@domain.com

forced resync and 15 minutes later another onmicrosoft.com account gets created

stichguy · 2019-01-28T14:40:46.000Z

i have even tried moving the user to an ou that doesnt get sync

the onmicrosoft account gets removed from O365

I remove this from the recycle bin using powershell

I move the user back to the correct OU, and it still created the onmicrosoft account, i dont know why it does not sync to the correct accound

spiceuser-gmunc · 2019-01-28T14:46:43.000Z

From what I have seen in the past, the UPN on the 365 side does not like to change by itself for any reason. We used to have to run Powershell commands even when a user changed their last name and such. I have been told they added this ability in the web console but I don’t work with that end of admin anymore to confirm.

learn.microsoft.com

Set-MsolUserPrincipalName (MSOnline)

The Set-MsolUserPrincipalName cmdlet changes the User Principal Name, or user ID, of a user. This cmdlet can be used to move a user between a federated and standard domain, which results in their authentication type changing to that of the target...

stichguy · 2019-01-28T16:16:48.000Z

I have tried doing that powershell command to change the upn from the onmicrosoft.com to the correct account, however it does not run and tells me that the account with that principal name already exists. Seems the only way is if I remove the account from Office 365 which I cannot do

spiceuser-gmunc · 2019-01-28T17:21:21.000Z

Alas, I no longer have an environment to remote into to test these commands but if you do a “Get-Mailbox -Identity user@externaldomain.com” and " Get-Mailbox -Identity user@onmicrosoftdomain.com" do they both have a result? When you connected, did you use the MSOL to connect? It has different commands than the Azure Connect.

Also, in AD, have you set the info in SMTP mailbox, proxy address, and (I think it is) MsRTP SIP? Make sure the primary SMTP entry is in Caps and the rest in lowercase (if any).

(Edit: Second Paragraph)

stichguy · 2019-01-28T18:11:07.000Z

Get Mailbox IDentity only shows the display names for me. I do connect to MSOL with powershell.

In AD the users are set exactly the same as the users that were correctly created before the sync, the users without an alias synced perfectly correctly to their 365 profile.

The alias users all got the second onmicrosoft account. Even if i now remove all the aliases from one of the affected accounts and remove, it still doesnt connect correctly to the 365 account, its so strange

spiceuser-gmunc · 2019-01-28T19:28:42.000Z

andrejhb:

In AD the users are set exactly the same as the users that were correctly created before the sync, the users without an alias synced perfectly correctly to their 365 profile.

So if I am reading that correctly, the users were created prior to the first sync? If that is the case, that is where the problem lies. AD and Azure do not see users as their username, that is for us. They see a GUID (XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX) So if jdoe@ with a GUID of XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX resides on the server and then jdoe@ with GUID XXXXXXXX-YYYY-ZZZZ-QQQQ-XXXXXXXXXXXX gets sent to the server, it is going to see them as two different accounts and being that the “jdoe@” username exists, it is going to have to create a new and will name it onmicrosoft.com because that’s the only spot for it.

Let me know if I was misreading that.

stichguy · 2019-01-28T19:33:36.000Z

thank you setting the guid to the immutable id was the only way to force it

followed this guide https://www.youtube.com/watch?v=Ksae9lm9y5Y

ivanbarros3548 · 2019-01-29T13:08:05.000Z

You had to Hard Match all of the affected users?

spiceuser-gmunc · 2019-01-29T13:18:33.000Z

Glad we could get you pointed in the right direction!

stichguy · 2019-01-29T13:32:37.000Z

yeah had to hard match each user, luckily wasnt that many

dontworryok · 2019-07-09T19:23:07.000Z

I am having issues with this exact issue, we DO NOt use AD for email, but wanted to use AADC for passwords, synced and all users have a unlicensed onmicrosoft.com listing. I created a new UPN and listed it as domain.com and added it for a few users under account in AD drop list. Still have the onmicrosoft listing on Active users page in O365 portal.

da-schmoo · 2019-07-09T19:32:49.000Z

The “onmicrosoft” duplicate accounts are not going to automatically go away. You need to delete them - either manually via the O365 portal or find a powershell script to do it.

What I would do is manually delete those accounts then create an OU in your local AD that will contain the accounts you want synced. Configure AADConnect to only sync that OU and then start testing - create a test account and see if it syncs properly and if not, work the errors you receive.

dontworryok · 2019-07-09T20:36:12.000Z

I tried deleting them manually on portal but still got error that I had to go on premise to do so which doesn’t make sense since I did not find any onmicrosoft there.
So I need to create a whole new OU in AD and stick a few users there and resync. I currently have just the users syncing although I accidentally did sync all initially.

da-schmoo · 2019-07-09T20:42:04.000Z

I would turn off syncing in the portal and then you should be able to delete them. It may take some time before it lets you after you turn off the sync. After that turn it back on and just sync some test users to make sure things are working as expected before you start syncing all user accounts.

Everyone has an “onmicrosoft” account. Usually it’s behind the scenes so you don’t normally see it. You are seeing it because your local AD domain doesn’t match your email domain and you did a sync without first creating and assigning the matching UPN suffix locally - O365 didn’t know what to do with that domain so it created the accounts with the default “onmicrosoft” suffix.

Common issue that many of us had to work through.

dontworryok · 2019-07-09T21:23:12.000Z

Okay if I do this, I want to make sure the emails won’t be deleted from O365 cause after I initially synced everything then synced only the Users, some distrib groups went away and got cleared up. That is what I am paranoid about.

How do I turn off sync from portal