ayi <t>Rebuilt Azure AD connect and now ~ 300 users are duplicated (cloud only + sync) whats the safest way to fix without breaking mailboxes?</t>
ayi <t>Here’s what you have to do:<br/> Disable user sync so the cloud duplicates are removed. Move the users in an unsynced OU in your AD to do that.<br/> Force a sync and make sure duplicates are gone from the cloud.<br/> Make sure your Entra Connect Sync is using ImmutableID for sync.<br/> Create a list of all user accounts that are not synced. That list should contain the UPN and the ImmutableID grabbed from the cloud, at the very least. I recommend getting every property you want to preserve. Use PowerShell Graph to do this.<br/> Use AD PowerShell to set all those properties you grabbed from the Cloud back on to the local users. Use the UPN to match them, and change the local properties so they fit. The most important one is the ImmutableID which maps to the “ms-DS-ConsistencyGUID” property. It is in a different format (Byte vs string) so it needs to be converted.<br/> Move users back into a synced OU and watch them match using the ImmutableID to the correct cloud user. Any properties set in AD will overwrite the Entra property, so make sure they match.<br/> <br/> I would test with one user first, obviously. If you’re not familiar with PowerShell, Graph, AD or Entra you might want to hire someone to fix this for you. A mistake could be serious, but no data should ever be deleted - at worse a user would be soft-deleted.</t>
