Office 365 – Resolving Identity Sync Problems

If you are are synchronising Active Directory identies with Office 365, there are occasions where an AD account will not match the 365 account. If this occurs, the sync will create a  new unlicenced user in Office 365. This short article details the process that can help to resolve these issues in some instances.

  1. Move the affected users into a separate OU in Active Directory such as ‘temp’

  2. Connect to AzureAD

    Connect-MsolService -credential (Get-Credential)
  3. Obtain guid of the affected account

    $guid = (Get-ADuser <user>).guid
  4. Convert the guid into a Base64 string for the new Immutable ID

    $immutableID = [System.Convert]::ToBase64String($guid.tobytearray())
  5. Permanently remove the duplicate account from Office 365.

    • These will be the ones that say Syncronized rather than In Cloud. Most likely with an UPN
    Remove-MsolUser -UserPrincipalName [email protected] -RemoveFromRecycleBin
  6. Set the new ImmutableID for the remaining account

    Set-MsolUser -UserPrincipalName [email protected] -ImmutableID $immutableID
  7. Run Azure AD Connect

You should then find that the sync errors go away, and the Office 365 accounts now show as syncronized.
If you need to run this for multiple accounts you can simply add steps 3 – 6 to a foreach loop such as this.

Connect-MsolService -Credential (Get-Credential)

$users = Get-ADUser -Filter * -Searchbase = 'OU=temp,DC=mydomain,DC=local'

foreach($user in $users){
    $guid = $user.guid
    $immutableID = [System.Convert]::ToBase64String($guid.tobytearray())
    Remove-MsolUser -UserPrincipalName ("$user.SAMAccountName" + "") -RemoveFromRecycleBin
    Set-MsolUser -UserPrincipalName $user.userprincipalname -ImmutableID $immutableID

