Existing O365 Cloud Accounts – Sync Errors

The word cloud means different things to different folks. To some, it’s a term of endearment and something they hold close to their heart. Some only think it’s a light fluffy thing in the sky that can sometimes appear to make funny shapes. And still some think of it as the place all of my stuff goes but doesn’t actually exist. And there are even some who believe the term is synonymous with Big Brother or Skynet. However you view it, the cloud appears to be here to stay and the forecast is looking cloudier (without a chance of meatballs) every year. When making that move to Office 365 from your long lasting and firmly rooted on-premise infrastructure, you may come across this issue: those pesky existing cloud accounts created using your company’s domain for an email address. What to do with these existing O365 cloud accounts?

\\\I Like Options

Well, we can always give in to the dark side when dealing with these nefarious nuisances. Once you claim the tenant, they become your peasants. No ruler has ever been overthrown by coming down hard on his/her subjects, so delete away your majesty!

But before you lay down the law, let’s look at a couple of gotchas to be on the lookout for. Once you start actually syncing users using Azure AD Connect, you can see existing errors in the Azure AD Portal. One of the errors you might get is with cloud accounts with existing admin roles now attempting to sync from on prem.

If you look at the users in the O365 Admin Portal, you’ll see 2 users that should have merged after syncing but they are indeed separate due to the cloud account having an admin role already assigned. The image below shows two black boxes that should have been one black box.

Azure does not like it when this happens. You could try to remove the role, but I still had issues when I did this. I had to delete the cloud accounts to unclog the machine. And before we go any further…let’s just address the elephant in the room.

\\\Darth Deleter

Apparently, the Council of IT Terminology met together and discussed the terms of their conditions (pun intended). They determined that “delete” was just too strong of a word and “wishing away to a forced vacation” was just too fluffy. So now we have terms that give the Touch and Feel books for infants a run for their money: Soft Delete and Hard Delete have entered the chat.

Contrary to popular belief, it isn’t dependent on the amount of force exerted on the mouse when you click delete. Soft delete sends your object to a temporary resting place as it awaits final judgement. Hard delete makes it really hard for you to recover from. For these on prem accounts you’re syncing that are throwing errors because your existing O365 cloud accounts have admin roles, we need to hard delete the cloud accounts. Deleting from the Admin Center doesn’t really remove the user, it’s just a soft delete. I assume this is in case you were trigger happy and/or are working from home and your infant hijacked your lappy. Likewise, running Remove-MsolUser from PowerShell will only soft delete the user. You have to delete the user from the AAD Recycle Bin or use the switch parameter -RemoveFromRecycleBin to hard delete the user.

Remove-MsolUser -UserPrincipalName "RecentlyPromotedGeneral38797@empire.edu" -RemoveFromRecycleBin

\\\Measure Twice, Delete Once

Of course, I would suggest verifying you actually want to execute Order 66 before causing mayhem in your environment. Once you hard delete the troublesome cloud accounts, your syncing errors will go away and your syncing will stop stinking and you’ll be heralded as the Azure King and your peasants will no longer have the blues. On a completely different note (but kind of related since Azure means blue)…What is blue and not heavy? (A)Light Blue (ba dum chtt)