Search AD object via ConsistencyGUID
July 31, 2020 | by iaur | posted as Active Directory, Azure AD
Scenario
- Admin center is showing duplicate MSOL user and both are syncing to O365 thus, you are looking to see if you can merge it
- You have two identical MSOL users and would like a safe way to delete one
Context
Do a ConsistencyGUID search of a specific AD object.
Firstly, you don’t have to really merge these and there’s no way to really do that. Both MSOL user are synced with AD consequently, the question is who is to retain and obviously it would be the licensed account.
That is to say, you just need to find the equivalent AD object of the unlicensed MSOL user by doing a ConsistencyGUID (mS-DS-ConsistencyGUID) search and move it away from the syncing OU. Therefore, will delete it from O365 and will no show showing in the Admin center under active user.
Steps
- Connect to MSOL using PowerShell
- Run below cmdlet to find the immutableID of the unlicensed user
# user@domain.onmicrosoft.com is the unlicensed user
Get-MSOLuser -UserPrincipalName user@domain.onmicrosoft.com | fl name,immutableID
- Take note of the immutable ID
- Access your Local AD
- Open PowerShell
- Run below cmdlet that will search for the AD object that match the immutableID value
# ENTER_IMMUTABLE_ID_HERE is the ImmutableID from the previous steps
$string=[system.convert]::FromBase64String("ENTER_IMMUTABLE_ID_HERE")
$hex = -join ($string | %{$_.tostring("X").padleft(2,"0")})
$search = $hex -replace '(..)','\$1'
$adUser = Get-AdUser -LDAPFilter "(ms-ds-consistencyguid=$search)"
- Once you’ve retrieve it, all you need to do is locate the OU where the object is after that move it to a not-synced OU
- Finally, wait for 30 minutes to an hour for a passive sync (AAD) to complete
Screenshot:
