When you do this, you create duplicate UserIDs, and you will either have small, possibly unnoticeable, or big problems, but there will be problems so it is not recommended.
When you link an external Identity Source, your Security Console Administrators immediately see all users in that Identity Source. These users do not count against your active User limit, but at this point you can see everyone in the scope, under the Base DN and search filters.
When your Admin assigns a token authenticator; Hardware FOB, software, On Demand, Risk-Based or even a Fixed Passcode, that user now counts against your active user license limit. Auth Manager can do this because there is now a pointer, called the exuid field in the internal database, which contains the value of the location of this users in the external Identity Source, usually the Objectguid in Active Directory. The fact that there is now an exuid field pointing to a user's objectguid in AD is known as registration in RSA speak, this user is now said to be registered. Most Registered Users count against your active user license limit, but one exception to this, users who answer their Security Questions in the self service console become registered, but do not count against the active user license limit until an authenticator is assigned.
The minor problems start when your administrators see duplicate userIDs in the Security Console, one registered, others usually not. This can cause reporting problems, but authentications will work because on the registered user is found. Major problems start when you want to switch a registered user from one Identity Source to another Identity Source, when AM can see both users in both Identity Sources. There is no way in the Security Console to manually 'unregister' a user, the normal method is that the user is removed from AD (because they left the company, etc...) so AM no longer sees user, and when a clean-up job runs - then that user is unregistered. Worst problems are when the same userID gets registered twice.
