Reconnecting Cloud Users with Old/Previous/Moved AD User Objects

Posted on Updated on

dirsync_thumb For those admins who have been around the Microsoft Cloud Services, such as BPOS and Office 365 2010, you may remember the issue where DirSync takes a user object, takes it’s objectGUID, double-base-64 encodes it and sends to the cloud as a sourceAnchor. This sourceAnchor is used to flag the user as being synchronized by DirSync and managed by an on-premises Active Directory.

For those admins who are or have moved from one Active Directory Forest to another, the objectGUID changes while the online user maintains this old objectGUID/sourceAnchor. SO, what do you do to reconnect the cloud user with the new AD user?  You leverage set-msolUser and set their -ImmutableID, which allows DirSync to hard-match (AD objectGUID == sourceAnchor) and take over management of this cloud object.  If the sourceAnchor does not exist in the cloud, then DirSync does a soft-match, based on SMTP address(es) and if there is a match, DirSync takes over management. BUT in this particular scenario the sourceAnchor overrides a soft-match approach, which is why the –ImmutableID option must be used.

Steps to Set -ImmutableID

Allowing DirSync, AAD Sync, AAD Connect to Take Over Management

  1. Move user to new forest
  2. Take their ObjectGUID, found in Active Directory Users and Computers –> Advanced View –> Attribute Editor tab in user object Properties location OR use ADSIEdit and use this site to convert the “objectGUID” to a “sourceAnchor”, which will then be set to -ImmutableID.
    1. http://guid-convert.appspot.com/
  3. Use the Get/Set-MSOLUser –ImmutableID command to the converted GUID, done in the step above. Reference to command variables: https://msdn.microsoft.com/en-us/library/azure/dn194136.aspx
    1. Set-msoluser –Userprincipalname upn@company.com–ImmutableID “xxxxxxxxx”
  4. Launch DirSync/Sync/Connect and allow it hard match on the user in the cloud and now this Office 365 user is under DirSync/Sync/Connect control.

One thought on “Reconnecting Cloud Users with Old/Previous/Moved AD User Objects

    michaelpopovici said:
    February 13, 2015 at 2:07 pm

    Funny that you post this today. I had to research this due to a fire drill just this morning.

    This is also relevant to when you have an AD account that was deleted and can’t be recovered for whatever reason. You can recreate the account, but need to set the ImmutableID.

    This Office365 thread goes over this. http://community.office365.com/en-us/f/613/t/272300.aspx

Whatcha thinkin?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s