Office 365 – Resolving Identity Sync Problems

If you are are synchronising Active Directory identies with Office 365, there are occasions where an AD account will not match the 365 account. If this occurs, the sync will create a  new unlicenced user in Office 365. This short article details the process that can help to resolve these issues in some instances.

  1. Move the affected users into a separate OU in Active Directory such as ‘temp’

  2. Connect to AzureAD

    Connect-MsolService -credential (Get-Credential)
    
  3. Obtain guid of the affected account

    $guid = (Get-ADuser <user>).guid
    
  4. Convert the guid into a Base64 string for the new Immutable ID

    $immutableID = [System.Convert]::ToBase64String($guid.tobytearray())
    
  5. Permanently remove the duplicate account from Office 365.

    • These will be the ones that say Syncronized rather than In Cloud. Most likely with an onmicrosoft.com UPN
    Remove-MsolUser -UserPrincipalName [email protected] -RemoveFromRecycleBin
    
  6. Set the new ImmutableID for the remaining account

    Set-MsolUser -UserPrincipalName [email protected] -ImmutableID $immutableID
    
  7. Run Azure AD Connect

You should then find that the sync errors go away, and the Office 365 accounts now show as syncronized.
If you need to run this for multiple accounts you can simply add steps 3 – 6 to a foreach loop such as this.

Connect-MsolService -Credential (Get-Credential)

$users = Get-ADUser -Filter * -Searchbase = 'OU=temp,DC=mydomain,DC=local'

foreach($user in $users){
    $guid = $user.guid
    $immutableID = [System.Convert]::ToBase64String($guid.tobytearray())
    Remove-MsolUser -UserPrincipalName ("$user.SAMAccountName" + "@mydomain.onmicrosoft.com") -RemoveFromRecycleBin
    Set-MsolUser -UserPrincipalName $user.userprincipalname -ImmutableID $immutableID
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s