While DirSync is a nice canned version of FIM, I have found it can run in a wild loop. By Default the DirSync tool runs every 3 hours. If there are any errors, it generates an email to the technical contact’s email within the tenant configuration.
I was able to make it generate about 2 or 3 email conflict reports per second. That equates to 10,000+ emails in an hour.What caused this? Having an active directory forest with multiple domains. To understand let’s say there are two bob jones. One with a default UPN of firstname.lastname@example.org and email@example.com, and let’s say for clarity these are also represented by the names chicago\bjones and madison\bjones, as in domain\samaccountname. Technically there is no conflict. The UPNs are unique across the forest and the samaccountnames are unique within each respective domain.
Using a powershell command I can set the UPN suffix to @domain.com for both accounts. It should be noted that the ADUC utility will prevent conflicts from occurring, thus allow changing the first one to @domain.com, but then prevent the second one from being changed to @domain.com
After there became two firstname.lastname@example.org UPNs, DirSync found itself in a loop. When it generates a sync report to the technical contact on the office 365 tenant, it did so at a rate of 2 to 3 per second. This would not stop until I made one account different, such as email@example.com
I changed it to make every account the same as their email. What I didn’t expect what that bob jones in chicago, his logon account might have been chicago\bjones, but his configured email was firstname.lastname@example.org. The administrator ran into a conflict while creating the email account in the Exchange management console (EMC) and unchecked “Use Policy” and gave bob in chicago a non standard email address.
Lessons learned: Set the UPN prefix to the prefix the the default email address, and then set the suffix to @domain.com.
Besides, I have run into places where you may logon as bj9874 and your email is email@example.com. I would think you really want everyone logging in using their email address on office 365 portal, rather then their userid.
It’s worth noting that the prefix of the upn is, by default, is the same as the samaccount name when you setup the account in ADUC or EMC.