Azure AD Connect says my User is synced, but it isn't

Question

I use Azure AD Connect to sync Users, Computers and Groups from my local Active Directory to Azure. Before I set up Azure AD Connect, every User already existed in local AD and in Azure AD, so I had to match them via soft or hardlink.

All Users that I want to be synced, are synced. I had a problem specifically with my user account. This one didn't want to be matched with its Azure AD counterpart at all. It always created a "new" Azure AD User instead of connecting to my existing one. The solution was, that I had to remove my User from Global Administrator, sync again, and it worked. The user account is now locally synced, says the Azure AD Dashboard.

However - it is not. I use Password Hash sync for all users. It works for all users, except for mine. I still have a On-Prem Password and a Cloud Password. Also, when I add my user to a synced Group in AD, it won't get synced to Azure AD. It works for all the other user accounts.

What can I do to troubleshoot this? What I would like to do is to remove all the attributes that Azure AD set on my local AD User, since I think it might be that there are still some pointers to the accounts that were falsely created while trying to match my existing user.

Any ideas?

Answer 1

Did you use an account with the same UPN as your on-prem user account to configure AAD/the tenant initially? If so, you shouldn't have. You would have been much better off to use a generic account name as the "first GA" in the tenant. I can't speak to any effect that might have with password hash sync in AAD, because I've always only used a cloud-only account for that function.

As it states in the AAD setup guide, for privileged accounts, you should "Create dedicated, privileged, cloud-based user accounts and use them only when necessary". https://learn.microsoft.com/en-us/microsoft-365/enterprise/protect-your-global-administrator-accounts?view=o365-worldwide#1-create-dedicated-privileged-cloud-based-user-accounts-and-use-them-only-when-necessary

Other than any limitations with the initial GA account being able to sync as you've experienced, it's simply poor security practice to use an on-prem synched account that can have its password changed by anyone with the right on-prem. Also, there would be the possibility of the password getting out of sync if synchronisation isn't working at the time. And there are most likely many other reasons why MSFT recommends cloud-only accounts for that purpose.