I'm dealing with a tricky situation in our hybrid Entra and on-prem environment. A user recently changed their name, and now their new email address is correctly updated in Active Directory, Entra, and Exchange Online. However, there's still a routing proxy address associated with their old alias in both Entra and Exchange Online that isn't visible on-prem. This becomes problematic because a new user has since been assigned the old user's UPN and alias, leading to occasional email mix-ups where the new user receives messages meant for the original user. I'm stuck here, since I can't seem to remove the routing address from Entra or Exchange Online due to it syncing from on-prem, yet it doesn't appear on-prem to be able to delete it. Any suggestions on how to resolve this issue?
3 Answers
First off, check the proxyAddresses attribute in your on-prem AD for the old user. This setting might still have the old alias, which could be causing the conflict. You need to have unique identifiers for each user, especially after a name change. Make sure to verify that both users have distinct Immutable IDs. If they share an alias, that could definitely lead to routing issues in Entra. I’d recommend isolating both users temporarily by moving them out of the synced OU in Entra, then soft deleting their cloud accounts to clear out any residual settings for the old user. After that, correct the proxy address in the on-prem AD before moving everything back in sync. It might take a bit of time, but it should resolve the routing conflict.
You can trigger a delta sync manually in Azure AD Connect, which should speed things up a bit.
Honestly, reusing old aliases is just asking for trouble. When the new user was given the old UPN and alias, it was bound to cause issues. Best practice is to avoid such overlaps. That said, you'll need to ensure both users have distinct, user-friendly UPNs moving forward. Just make sure you're handling this at the Active Directory side to keep things clean and organized without syncing conflicts.
Yeah, I totally get that, but sometimes management doesn't get it and we just have to deal with what we’re given.
Exactly! It's tough. Just ensure clarity moving ahead, and hopefully, these kinds of issues will be less frequent.
It sounds like the real issue is the residual proxy address not being visible on-prem. Sometimes attributes don’t sync back, like the Immutable ID or Source Anchor. My advice? Verify that the original user and the new one are using unique Immutable IDs based on their GUIDs in your on-prem AD. If not, consider using PowerShell to rectify these because they might be causing the conflict in Entra.
I’ll try that. Just to clarify, using PowerShell to get GUIDs and setting them correctly in AD should help?
Absolutely! That should resolve a lot of syncing problems.
That makes sense, but I'm worried about how long this process will take. Is there a way to force the sync to happen faster?