Manually match On Premise AD-user to existing Office365 user

Hi

Have you ever been in the situation where there is a mismatch/no match between AD users and O365 users? If so, you know it’s not easy to fix it. If not, this article can save you a lot of time, when you are in that situation.

 

You probably wonder how you get there. Well, multiple scenario’s are possible: an existing O365 tenant that needs to be synced with Active Directory, a failed installation of Azure AD Connect, a move of Azure AD Connect that doesn’t go well or simply bad configuration to start with.

 

When that’s the case, it is possible that the users in AD are not syncing with the corresponding user in O365. Even worse, a second account is created with the @domain.onmicrosoft.com suffix. What now?

In theory: just set the ObjectGUID of the AD user as ImmutableID of the O365 user and job done. But we all know that in IT, the theory and executing the theory is not the same.

 

First of all, the ObjectGUI needs to be retrieved from AD. If we check the attributes of a user, we can find this easily:

 

Only problem: it’s not in the correct format. O365 won’t accept this format, so we need another way to retrieve this attribute: LDIFDE.

LDIFDE is a tool to export/import data from/in Active Directory. More info about can be found on https://support.microsoft.com/en-us/help/555636. So let’s use the following command to export our user:

ldifde -d “DistinguishedName of the user” -f “c:\temp\exporteduser.txt”

If we check the exported file and look for the ObjectGUID, we can see it’s in another format:

And that is the format we need to set the ImmutableID in O365.

 

To set the ImmutableID in O365, execute the following command (after making connection to O365) in PowerShell:

set-msoluser -userprincipalname orbid@yourdomain.com -ImmutableID xxx

Change the “xxx” with the ObjectGUID retrieved from the textfile. Now the user in AD will be synced with the user in O365.

 

Note: this probably won’t work from the first time. Whenever you have a mismatch, there is a change that the ImmutableID from the textfile is already set to a user. When you trying to set the ImmutableID, you will receive following error:

To find which O365 users has that ImmutableID, execute following command:

Get-MsolUser -All | Where-Object {$_.ImmutableID -eq “SV+BWQuSnU6tbIK1OqTBAg==”}

Note2: be aware that O365 also has deleted users, that doesn’t show up with the command above. To find out if the ImmutableID is set to a deleted user (most of the times the ImmutableID will be already set to a deleted user and the above command won’t return any results), execute the followin command:

Get-MsolUser -All -ReturnDeletedUsers | Where-Object {$_.ImmutableID -eq “SV+BWQuSnU6tbIK1OqTBAg==”}

This will give you the same result, but for the deleted users. Hard delete the user in Office 365 and you can set the ImmutableID for the correct user.

Note3: if you have a lot of users to do, it’s pretty easy to script this!

 

 

 

Print Friendly, PDF & Email

2 comments on “Manually match On Premise AD-user to existing Office365 user”

  1. Phil says:

    this is EXACTLY what I needed! fixed my issue. THANK YOU.

  2. David says:

    Arne, I assume this only works if the objectguid is the source anchor? -Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *