Lets say you have an Office 365 account and cloud only users with mailboxes and now you decide that you want to sync it and match the Office 365 users with your Active Directory users.
I prepared a lab with one DC and I created a trial Office 365 E3 account with custom domain. I created users with the same username to both. At Active Directory I set the UPN to match the Office 365 user name and also added the email address.
Next I enabled directory synchronization from Office 365 and installed Azure AD Connect to DC2. After the initial sync i got this error:
Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [Mail [email protected];].
I realized that Office 365 could not map the users, it was trying to create new. So there must be an attribute that needs correction. The solution came form the following blog:
and specifically at the “manual match method” section:
In order to match the user with the cloud user you have to set the Immutable ID of onPremise Active Directory user’s ObjectGUID to the immutableID value of the Office365 user.
To retrieve the ObjectGUID you can use the following command:
Ldifde –d “CN=xxx…,OU=xxx,DC=xxxx,DC=xx” –f c:\temp\exportuser1.txt
“CN=xxx…,OU=xxx,DC=xxxx,DC=xx” is the distinguished name of the user. You can use ADSIEdit or the AD Users & Computer (attribute editor) to find this value
In the Textfile exportuser1.txt look for the ObjectGUID. You will find a string like z2Xbu0xFTUapOeDqHRTN1A==
Then connect to Windows Azure Active Director and use the command
set-MsolUser -UserPrincipalName [email protected] -ImmutableId z2Xbu0xFTUapOeDqHRTN1A==
After that I just forced a delta sync “Start-ADSyncSyncCycle -PolicyType Delta” , the sync was successful and the users in Office 365 changed from “In Clout” to “Synced with Active Directory”