#Change data in local AD when Entra is connected

Hey all.

Our companies local AD is connected to Entra (formerly with Azure AD Connect) since years. Works as it should. Check.

Now we have a nasty problem: When we change the surname of a user (e.g. because of a marriage), only the displayname is going to change. The name/identity of the users object in Exchange Online is still the old one.

When we try to change the name with Set-User (cmdlet of Exchange Online), there is an error that we have to change it in local AD because they are in sync and changes are only possible one way from local to Azure AD. sigh

In general I understand the situation. Problem is: In local AD there is no way to change it. The data I have to change is saved in Azure AD, but I have to change it in local AD where it's not existing.

Do you have any idea how to change the property "identity", "id" and "name" that you get with "Get-User"? Is there a chance to "disconnect" users from both ADs and reconnect it, without any loss of data in a mailbox or similar? To force a sync or to rebuild the users identity.

Thanks for your help!

This isn't really anything nasty. AD is the source of truth, which creates an Entra object that then syncs over to EXO. So if you're looking to make changes it should be in AD. Alternatively, if AD syncs off some HR tool via a lifecycle tool as the source of truth, then the edits should be done there which then trickles down.

The attributes you're looking to modify in AD is one or all of the following: samaccountname, userprincipalname, or mail. Depending on what options were chosen during sync setup (since it's legacy and legacy let you choose and some people didn't choose GUID/SID), it could be that modifying any of those creates a new entra object.

So you'd be using Set-ADuser with -replace and whichever attribute you've determined needs to be changed

Then you either wait until your established sync cycle to propogate the changes or initiate a delta with Start-ADSyncSyncCycle -PolicyType Delta