How to merge an Office 365 account with an on-premises AD account after hybrid configuration?

Once you have completed a hybrid configuration in your company, it turns out that the job is not done yet. After a quick verification whether the hybrid is set up correctly, you notice that some of the users are not synchronized properly. And if that is the case, you need to do some additional adjustments. If you hit the roadblock during the synchronization it is most probable that the problem will be related to user synchronization between local Active Directory and Azure AD. Common causes for this are:

  • Lack of rights to Organizational Units (OU) or AD objects (users, groups or computers) for a service account used by Azure AD Connect (AAD Connect)
  • The improper scope of objects synchronized with Office 365. In other words, perhaps an OU that contains a certain user object, group or computer was not selected in the AAD Connect configuration wizard.

You can encounter these problems when you run the synchronization from on-premises AD to Office 365. But this can also happen the other way round when you run the synchronization from Office 365 to on-premises AD or in both directions. Look at the most common scenarios here:

In this article, I will show you how to manage these situations in an environment with hybrid configuration and Centralized Mail Transport enabled.

A user has an account in Office 365 but not in local Active Directory

Merging AD account with Office 365

In this scenario, a user account is created in Office 365 in a hybrid setup. It is worth mentioning that this scenario is correct and supported by Microsoft. However, it causes problems for an Office 365 user when he or she wants to access public folders being on the on-premises Exchange. This means that the user will not be able to access local public folders (legacy public folders) and any attempt of connection will throw an error:

Cannot expand the folder. The set of folders cannot be opened. Network problems are preventing connection to Microsoft Exchange

How to solve this problem

To solve the problem you need to run SMTP matching. This means that you need to create a local AD object with SMTP address that matches primary SMTP address of a user object in Office 365. Unfortunately, there are some limitations highlighted by Microsoft related to SMTP matching:

  • A user account that you want to run SMTP matching on needs to have an Exchange Online email address (the Exchange Online license is not required).
  • A user account that was originally authored in Office 365 can be SMTP-matched only once.
  • During the SMTP matching process, the primary address of an Office 365 user can’t be updated.
  • Every SMTP address needs to be unique, otherwise, the synchronization will fail and you may see this error:
Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses;]. Correct or remove the duplicate values in your local directory.

To match users in Office 365 with AD users, follow the steps below:

  1. Log in to Office 365 and go to Exchange admin center.
  2. Write down the primary SMTP address for a selected user in Exchange Online (if you do not have an Exchange Online license, you can take this address from user’s Office 365 login – in most cases it’s the same).
  3. Create a user object in your local Active Directory with the same attributes (first name, last name, UPN, etc.) as they are in Office 365.
  4. Set up the primary SMTP address for a new AD object using the address from step 2. In Active Directory, look for the proxyAddresses attribute.Setting up proxyAddresses parameter
  5. Force the synchronization of AD objects with Office 365 on the server with Azure AD Connect. Use the following cmdlet:
    Start-ADSyncSyncCycle -PolicyType Delta
  6. After a successful user synchronization, you should see that the Sync type section shows Synced with Active Directory instead of In cloud.Sync type section in Office 365


Once the synchronization is finished, an Office 365 user should have access to on-premises public folders.

A user has both Office 365 and local AD accounts

Sometimes a company uses both environments to have access to different services offered by these two platforms. For example, the company decides to use Office 365 to have access to SharePoint Online and Skype for Business services. At the same time, the company maintains the on-premises Exchange Server.

A user has both Office 365 and local AD accounts

However, when you set up a hybrid environment and synchronize directories via Azure AD Connect, this may duplicate user accounts or cause other sync issues. A single user can end up having two accounts – one in Office 365 and one in local Active Directory. If the company uses Skype for Business (Lync) in an on-premises environment, the synchronization can be even more complicated.

One user, two accounts

If that is the case, you should carefully plan the synchronization before using Azure AD Connect for the first time. By verifying attributes, UPNs and SMTP address, make sure that all AD objects correspond to Office 365 objects. Additionally, when you have Skype/Lync on-premises you should think over what results you expect to achieve. For example, you may decide to migrate to Skype for Business Online and stop using the on-premises solution.

Generally speaking, if any problems appear in this scenario, you can run SMTP matching as well. If there are duplicates of user accounts, you need to remove them from Office 365 using the following cmdlet in Azure Active Directory Module for Windows PowerShell:

Remove-MsolUser -UserPrincipalName

Remove-MsolUser -UserPrincipalName -RemoveFromRecycleBin

For a user who has a duplicated account, you should check and correct attributes either in Office 365 or in local AD. In Azure AD Connect, you can find more details on fixing synchronization problems.

To get more information on Skype/Lync migrations, visit this TechNet website.

A user has one mailbox in Office 365 and one in an on-premises Exchange

It is one of those weird situations when a single user has one AD account but is connected to two mailboxes – one mailbox is in Office 365 and the second one is on on-premises Exchange (practically, it will be connected to on-premises via Autodiscover). This situation is very similar to the one described in the second scenario above, with the only difference that an Office 365 user has the Office 365 license assigned (including a license for Exchange Online). As you can imagine having two mailboxes in hybrid settings causes complications in email flow for that user. When the MX record points to Office 365, an email will get stuck in Office 365 mailbox and will not be delivered to an on-premises mailbox.

A user with one mailbox in Office 365 and one in on-premises Exchange.

How to solve the problem

Unfortunately, in this case, SMTP matching will not help. The only result you would achieve after running the SMTP matching is having Office 365 and the on-premises accounts matched – this will not merge mailboxes though. Removing a license from an Office 365 user will not solve the problem either. The only method would be to remove the Office 365 user and recreating it via Azure AD Connect synchronization.

Note: Keep in mind that when you remove the user, he or she will lose their Office 365 data. That is why before deleting the user account, make sure to create a backup copy of user’s data (OneDrive, Exchange etc.). If you need to repeat this procedure for a number of users, you may consider using a third party tool like CodeTwo Backup, which will also help you restore data to on-premises mailboxes.

To solve the problem follow the steps below:

  1. Connect to an Office 365 tenant using Azure Active Directory Module for Windows PowerShell:
  2. Then, remove the user by executing the following cmdlets:
    Remove-MsolUser -UserPrincipalName
    Remove-MsolUser -UserPrincipalName -RemoveFromRecycleBin
  3. Finally, recreate a user via Azure AD Connect by forcing the synchronization process (run the cmdlet on the server with Azure AD Connect):
    Start-ADSyncSyncCycle -PolicyType Delta
  4. As soon as you activate the Office 365 license, you should see the following information:Mail settings

This confirms that now Exchange recognizes the user’s mailbox. Once you have recreated a user, you can start restoring user’s data to Office 365.

See also:

6 thoughts on “How to merge an Office 365 account with an on-premises AD account after hybrid configuration?

  1. Hi Adam, great article, thanks a lot!
    I work in a school as teacher and have an extra function there as admin of our local AD (windows Server 2012 R2) and our Office 365. Our setup is like this:
    Until a few years ago we had a Windows Server 2003 in the school with AD and Exchange. While the server still worked as AD, we moved our mail to Office 365 and I created users with mailboxes in Office 365.
    Later when got a new Windows 2012 R2 server for AD, it didn’t synch from the Office 365 to our local server, only the other way round, even with Azure (probably because I don’t know how to do it). So I had to create users in AD, and they are automatically synched with Office 365. I do that with new teachers and it works fine. But I would like to merge the “old” teachers in our system to avoid the synch-conflicts from Azure.
    Since we also use onedrive and sharepoint, I’m a little reluctant to change anyhthing that I don’t know the consequenses of. But with your guide I hope to end up with only one account for both the old and new users. Is that possible?

    • Please do let me know when you are able to do so. I was just thinking of the same situation and its resolution

    • Hi Michael,
      If I understand correctly, your situation is like the one I describe in the third scenario. The solution I propose (deleting the Office 365 user and recreating the mailbox with AAD Connect afterwards) is not perfect – you need to backup all Office 365 data (including Onedrive and SharePoint) for the user and re-assign permissions for their mailbox. It will be time-consuming and problematic, but will end with a fully merged user in both on-premises Exchange and Exchange Online.

  2. I have a on-premise AD and office 365 email (as well as Azure AD)

    on-premise ID:
    office 365 mail:

    how do I sync/match this user with different username…? Is it possible?

    • You need to add proxyAdresses [Office 365 account id] in the attribute of the user located in Local Active Directory.

      or viceversa;

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>