Search AD object via ConsistencyGUID attribute

Active Directory

Scenario

Is your Admin center is showing duplicate MSOL user and both are syncing to O365 thus, you are looking to see if you can merge it?

Do you have two identical MSOL users and would like a safe way to delete one?

Do a ConsistencyGUID search of a specific AD object.

Firstly, you don’t have to really merge these and there’s no way to really do that. Both MSOL user are synced with AD consequently, the question is who is to retain and obviously it would be the licensed account.

That is to say, you just need to find the equivalent AD object of the unlicensed MSOL user by doing a ConsistencyGUID (mS-DS-ConsistencyGUID) search and move it away from the syncing OU. Therefore, will delete it from O365 and will no show showing in the Admin center under active user.

 

Steps

  1. Connect to MSOL using PowerShell

  2. Run below cmdlet to find the immutableID of the unlicensed user

    # [email protected] is the unlicensed user

Get-MSOLuser -UserPrincipalName [email protected] | fl name,immutableID

  3. Take note of the immutableID

    ad-search-object-consistencyguid-img-1

  4. Access your Active Directory server where you have configured your Azure AD Connect Sync

  5. Open PowerShell

  6. Run below cmdlet that will search for the AD object that match the immutableID value

    # ENTER_IMMUTABLE_ID_HERE is the ImmutableID from the previous steps

$string=[system.convert]::FromBase64String("ENTER_IMMUTABLE_ID_HERE")

$hex = -join ($string | %{$_.tostring("X").padleft(2,"0")})

$search = $hex -replace '(..)','\$1'

$adUser = Get-AdUser -LDAPFilter "(ms-ds-consistencyguid=$search)"

  7. Once you’ve retrieve it, all you need to do is locate the OU where the object is after that move it to a not-synced OU (Organization Unit)

    ad-search-object-consistencyguid-img-2

  8. Finally, wait for 30 minutes to an hour for a passive sync (AAD) to complete

 

References