locked
Azure tenant accounts showing synced with local AD, but they are not RRS feed

  • Question

  • Hello,

    We are currently syncing accounts to Azure, through dirsync from on prem. They are filtered going up to AAD in dirsync by set requirements. The issue we have is that the tenant admin accounts we have created (cloud only) say they are linked with local AD, which they are not, they are not connected in the Dirsync metaverse, I found they as diconnectors in the tenant MA, and have filtered them out, but it didn't delete the disconnectors.

    Any ideas how to make sure I get the cloud tenant admin accounts fixed?

    Thanks

    Russ


    Russell Lema

    Wednesday, September 16, 2015 4:58 PM

Answers

  • Hi Russell,

    The admin accounts that you are referring to, If you open a PowerShell Session and connect to your directory service using the Azure AD PowerShell Module (http://aka.ms/aadposh).

    Run the following command once connected:

    Get-MsolUser -UserPrincipalName admin@contoso.com | Select DisplayName, UserPrincipalName, ImmutableID

    The response, does it show the admin account having an ImmutableID value? If so, can you check the Metaverse on the server where you Sync Engine is located to see if you find a hit in the AAD Connector?

    If you do not find it in the AAD Connector. If you convert the ImmutableID from base64 you should get the GUID. I assume your using ObjectGUID as SourceAnchor. If so, go to one of your domain controllers, launch powershell

    Import-Module ActiveDirectory
    Get-ADUser <GUID>

    Does it then return an AD Account (ideally, an account owned by this admin on-prem)?If so, then it would seem that these accounts got linked at some point in the past... you may have then re-installed your Sync Engine and filtered such accounts at meaning they are no-longer linked.. but in AAD they are still set to Synced Accounts.

    If you have never done anything like a re-install etc. and your not finding the accounts in your Sync Engine then your sync engine may be out of sync between AD and AAD as otherwise, when you filtered out the account (that it thinks it is linked to) it would of initiated a delete.

    Let me know if that helps some what initially, if you need anything else let me know.

    James.


    Senior Escalation Engineer | Azure AD Identity & Access Management

    • Marked as answer by Russ Lema Monday, September 21, 2015 2:37 PM
    Monday, September 21, 2015 2:02 AM

All replies

  • Hi Russell,

    DirSync is a tool to synchronize your on premise AD to Azure AD. In specific, DirSync synchronizes your local Active Directory passwords to Azure Active Directory. in addition to the syncing of users, groups and contacts. 

    DirSync doesn't support bidirectional synching. However with AAD Sync/AAD Connect you can enable password write back, provided you have an AAD premium license. For details see this link - https://msdn.microsoft.com/en-us/library/azure/dn903642.aspx

     “Azure Active Directory Connect” that replaces AADSync and DirSync. Azure AD Connect incorporates the components and functionality previously released as Dirsync and AAD Sync. At some point in the future, support for Dirsync and AAD Sync will end.
    These tools are no longer being updated individually with feature improvements, and all future improvements will be included in updates to Azure AD Connect.  

    For the most recent information about Azure Active Directory Connect, see Integrating your on-premises identities with Azure Active Directory

    Should you have any other questions, please do not hesitate to ask. We will be happy to assist.

    Best Regards

    Sadiqh Ahmed

    ________________________________________________________________________________________________________________

    If a post answers your question, please click Mark As Answer on that post and Vote as Helpful.


    Thursday, September 17, 2015 5:21 AM
  • Hi Russell,

    The admin accounts that you are referring to, If you open a PowerShell Session and connect to your directory service using the Azure AD PowerShell Module (http://aka.ms/aadposh).

    Run the following command once connected:

    Get-MsolUser -UserPrincipalName admin@contoso.com | Select DisplayName, UserPrincipalName, ImmutableID

    The response, does it show the admin account having an ImmutableID value? If so, can you check the Metaverse on the server where you Sync Engine is located to see if you find a hit in the AAD Connector?

    If you do not find it in the AAD Connector. If you convert the ImmutableID from base64 you should get the GUID. I assume your using ObjectGUID as SourceAnchor. If so, go to one of your domain controllers, launch powershell

    Import-Module ActiveDirectory
    Get-ADUser <GUID>

    Does it then return an AD Account (ideally, an account owned by this admin on-prem)?If so, then it would seem that these accounts got linked at some point in the past... you may have then re-installed your Sync Engine and filtered such accounts at meaning they are no-longer linked.. but in AAD they are still set to Synced Accounts.

    If you have never done anything like a re-install etc. and your not finding the accounts in your Sync Engine then your sync engine may be out of sync between AD and AAD as otherwise, when you filtered out the account (that it thinks it is linked to) it would of initiated a delete.

    Let me know if that helps some what initially, if you need anything else let me know.

    James.


    Senior Escalation Engineer | Azure AD Identity & Access Management

    • Marked as answer by Russ Lema Monday, September 21, 2015 2:37 PM
    Monday, September 21, 2015 2:02 AM
  • James has provided an excellent instruction here.  You may also have an email "matching" between these objects.  Do you have email address for these admin accounts?

    Santhosh Sivarajan | Houston, TX | www.sivarajan.com
    ITIL,MCITP,MCTS,MCSE (W2K3/W2K/NT4),MCSA(W2K3/W2K/MSG),Network+,CCNA

    Windows Server 2012 Book - Migrating from 2008 to Windows Server 2012

    Blogs: Blogs
    Twitter: Twitter
    LinkedIn: LinkedIn
    Facebook: Facebook

    Microsoft Virtual Academy: Microsoft Virtual Academy

    This posting is provided AS IS with no warranties, and confers no rights.

    Monday, September 21, 2015 2:08 PM
  • Sorry all I have been away from my computer and could nto respond.

    I was able to use powershell to remove the orphaned accounts.

    What happened was some of the accounts around 200 were in the cloud since they were orphaned they took on the tenant extension, as well as intermingled with some of the other accounts that we created as cloud only.

    So I used power shell to export the list of users, then removed the ones I wanted to keep up and that said they were not connected to local AD.

    I was able to delete all the orphaned objects and now they are cleaned up.

    So that worked. apparently there was an old dirsync instance that we had disconnected and changed when we moved to on prem sync and that is where the accounts came from they happened to be very similar names to the ones we had created as the cloud admins.


    Russell Lema

    Monday, September 21, 2015 2:40 PM