Unlink On-Premises AD Accounts with Azure AD Matches.

Yesterday I configured an Azure AD Sync to synchronize an On-Premises AD to Azure. The current Azure AD was already in use by the clients’ daughter company. These users were cloud-only objects. While syncing the new environment, a match between a new account and an existing cloud account happened. However, these were 2 different people, sadly with the same name, email and UPN. So I needed to unlink the AD accounts.

I firstly tried to unlink these objects by reversing the hard match. I removed the immutableID from the cloud user and started the sync again. Sadly enough, the link still happened. So I thought ok, why not use an immutableID from an AD User which isn’t synced, to remove the duplicate. From there, the interesting stuff happened.

In my Synchronization service manager, I saw the following export error after the sync:

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [OnPremiseSecurityIdentifier System.Byte[];]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

Error information in Azure AD Sync to Unlink the AD Accounts
Error information in Azure AD Sync

I immediately searched this attribute “OnPremiseSecurityIdentifier”. I couldn’t find it anywhere on my On-premises AD. After some research, I found out that this attribute is the Azure AD Version of the ObjectSID. Ofcourse, this is something you cannot change.

What happened here was that the initial sync gave the cloud object this ObjectSID. Because we can’t change this, the Azure AD Sync still found this attribute and started giving us errors. So how did I unlink the AD accounts?

Well, I created a dummy account on the on-premises and hard-matched it with the cloud object I wanted to unlink. This caused the OnPremiseSecurityIdentifier to be overwritten by the SID of that dummy account. This allowed me to synchronize the initial AD User without matching it to the cloud user. Finally I removed the dummy account. Don’t forget to empty the ImmutableID of your cloud object, otherwise the removal of the dummy account will synchronize to that cloud object.

TL;DR:

  1. Stop the sync of the impacted object and restore the cloud user in Azure AD
  2. Create a dummy account on the on-premises
  3. Execute a hard match with the cloud user and the dummy account
  4. Start the sync of the impacted object.
  5. Stop the sync of the dummy account and remove the ImmutableID of the cloud user to unlink it with the dummy account.

Print Friendly, PDF & Email

3 comments on “Unlink On-Premises AD Accounts with Azure AD Matches.”

  1. Declan H says:

    Great!

  2. Robin and Ed says:

    You’re the best!! Thanks so much for pointing us in the right direction.

  3. Sébastien says:

    Thanks for the tips Andreas.
    Do you have a detailed workaround for that ?

Leave a Reply

Your email address will not be published. Required fields are marked *