Reconnecting Cloud Users with Old/Previous/Moved AD User Objects

Posted on Updated on

dirsync_thumb For those admins who have been around the Microsoft Cloud Services, such as BPOS and Office 365 2010, you may remember the issue where DirSync takes a user object, takes it’s objectGUID, double-base-64 encodes it and sends to the cloud as a sourceAnchor. This sourceAnchor is used to flag the user as being synchronized by DirSync and managed by an on-premises Active Directory.

For those admins who are or have moved from one Active Directory Forest to another, the objectGUID changes while the online user maintains this old objectGUID/sourceAnchor. SO, what do you do to reconnect the cloud user with the new AD user?  You leverage set-msolUser and set their -ImmutableID, which allows DirSync to hard-match (AD objectGUID == sourceAnchor) and take over management of this cloud object.  If the sourceAnchor does not exist in the cloud, then DirSync does a soft-match, based on SMTP address(es) and if there is a match, DirSync takes over management. BUT in this particular scenario the sourceAnchor overrides a soft-match approach, which is why the –ImmutableID option must be used.

Steps to Set -ImmutableID

Allowing DirSync, AAD Sync, AAD Connect to Take Over Management

  1. Move user to new forest
  2. Take their ObjectGUID, found in Active Directory Users and Computers –> Advanced View –> Attribute Editor tab in user object Properties location OR use ADSIEdit and use this site to convert the “objectGUID” to a “sourceAnchor”, which will then be set to -ImmutableID.
    1. http://guid-convert.appspot.com/
  3. Use the Get/Set-MSOLUser –ImmutableID command to the converted GUID, done in the step above. Reference to command variables: https://msdn.microsoft.com/en-us/library/azure/dn194136.aspx
    1. Set-msoluser –Userprincipalname upn@company.com–ImmutableID “xxxxxxxxx”
  4. Launch DirSync/Sync/Connect and allow it hard match on the user in the cloud and now this Office 365 user is under DirSync/Sync/Connect control.

Reporting on Office 365 Online Users with Services and Licensing Status

Posted on

For those Online Administrators who need to account for Online Users and the Services they are assigned, along with enabled services, this email is for you!  The below is provided as-is and should be placed into a .ps1 PowerShell file, so you can run these commands against the Microsoft Online Services.  The end result will be a .csv (spreadsheet) file that outputs all the relevant information:

…special thanks to Mauricio O. for the following information!

Steps to Run


  1. Make sure you have installed the following prerequisites:
    1. Sign-In Assistant – Note: Even though the download states BETA, it is the proper SIA: http://www.microsoft.com/en-us/download/details.aspx?id=39267
    2. Windows Azure Active Directory Module for Windows PowerShell: https://portal.office.com/default.aspx#@/IdentityFederation/IdentityFederation.aspx
      1. clip_image001
  2. Start –> Run: Notepad
    1. Copy the text below into NotePad
      1. Replace the <user> with the location you want to save the output .csv spreadsheet file!


    1. Connect-MsolService -Credential $UserCredential

      write-host “Getting a list of users with their assigned licenses. Can take a while”

      $withlicense=get-msoluser -all | where {$_.islicensed}

      write-host “Tenant contains “$withlicense.count” licensed users. Generating report in c:\users\<user>\desktop\report.csv”

      ”UPN,Product,Status” | out-file “c:\users\<user>\desktop\report.csv” -Append

      foreach ($usr in $withlicense) {


          $status | %{


              $licstatus | out-file “c:\users\<user>\desktop\report.csv” -Append



  3. Save-As and set the File Type to All and place a .ps1 file extension to the file name
  4. clip_image003
  5. Open PowerShell and run the command, such as: c:\users\<user>\Desktop> .\OnlineuserReport.ps1



  6. The output is all placed into a single column, so the best option here is to open the .csv file via Excel with File –> Open to review and massage the data!

  7. Launch Excel

  8. File –> Open and open the file

  9. Select Delimited à Next

  10. clip_image009

  1. Uncheck Tab and select Comma as the Delimiter –> Next

  2. clip_image011 

  3. Finish

  4. clip_image013 

  5. This will open the spreadsheet with the different data in different columns making it easier to read and review, filter, etc

  6. clip_image015


Legend of Column #3

  1. Pending Input = Needs attention from Admin to assign license
  2. Disabled = Disabled
  3. Success = Activated and enabled with Service, service listed in 2nd column

Tracking Exchange Online Client Connections/Versions

Posted on


For those Exchange Online administrators who need to keep up with the devices and mail applications being used when connecting with their Exchange Online Mailbox, this post is for you!

Exchange Online provides many remote powershell scripts and cmdlets that can be used not only to view/review information, but also to create/write updates, modifications, changes to everything from mailboxes to mail users (contacts) to groups and policies!

Connect to Exchange Online


Once connected as an Exchange Online Administrator, also is typically an Office 365 Global Admin, you can use the following command to determine the different devices/protocols/applications being used when connecting into Exchange Online Mailboxes:

You can add an “> c:\temp\EXO_Client_Connection_Type.csv” to save the content into a spreadsheet for later review.

Get-ConnectionByClientTypeDetailReport | select Username,ClientType > c:\temp\EXO_Client_Connection_Type.csv

To run the command and see the output in the PowerShell command-shell/window, simply run the following:
Get-ConnectionByClientTypeDetailReport | select Username,ClientType

Example Output

UserName ClientType
RyBread J. Phillips MAPI
TestUserB EAS
TestUserC EAS
TestUserA EAS
RyBread J. Phillips EAS
RyBread J. Phillips EWS
RyBread J. Phillips MAPI
TestUserA OWA
TestUserA OWA

Unable to Post Photo to Microsoft Online Office 365 Portal (MOP)

Posted on

As an Office 365 Online Administrator (2010 Services), you may have found that users who are being synchronized into your Online Tenant via Directory Synchronization, are not able to upload a photo of themselves.

Note that when useres are being synchronized, the majority of attributes and settings are “mastered” in the On-Premises Active Directory.  This photo attribute is called thumbNailPhoto within Active Directory and when synchronizing users into Office 365 would need to populate the user’s on-premises Active Directory, so this can then be synchronized into your Online Tenant.


Example PowerShell thumbNailPhoto Upload

$photo = [byte[]](Get-Content C:\temp\photo.jpg -Encoding byte)
Set-ADUser Alias -Replace @{thumbnailPhoto=$photo}

Attempting to Convert Office 365 Domain to Federated May Result In: Microsoft.Online.Administration.Automation.IdentityInternalServiceException

Posted on


When an Office 365 administrator attempts to convert their Office 365 “Managed” Domain, with user credentials stored in the cloud, to Federated, where authentication and credentials are stored in an on-premises Active Directory, you may run into the following error:

Convert-MSOLDomainToFederated : Microsoft.Online.Administration.Automation.IdentityInternalServiceException

At line:1 char:30

+ Convert-MSOLDomainToFederated <<<<

+ CategoryInfo : notSpecified: (:) [Convert-MSOLDomainToFederated]

, FederationException

+ FullyQualifiedErrorId: Microsoft.Online.Administration.Automatition.IdentityInternetServiceException, Microsoft.Online.Identity.Federation.PowerShell.ConvertDomainToFederated


Possible Reason

Administrators may have modified the PasswordExpirationPolicy, which defines how long online user passwords can exist before being forced to change the password.  However, the maximum setting for this is 720 and if this setting is > 720, you will hit this error!


  1. Change the Online Tenant’s PasswordExpirationPolicy to something less than 720, using the following PowerShell command(s)
    1. Install and Connect to Office 365 via Windows PowerShell for Online Services:  http://technet.microsoft.com/en-us/library/jj151814.aspx
      1. Login using an online tenant Global Administrator
  2. Run the following PowerShell Command
    1. C:\PS>Set-MsolPasswordPolicy -ValidityPeriod 90 -NotificationDays 14 -DomainName contoso.com
      1. Note – This command updates the policy on the domain contoso.com so that users passwords will expire after 60 days and that the users will receive notification of 14 days prior to expiration.
  3. Once the PasswordExpirationPolicy has been updated, wait ~20 minutes, then attempt to convert the Managed Domain to Federated, using the following:
    1. Convert-MsolDomainToFederated -DomainName contoso.com -SupportMultipleDomain
      1. Note – Only use -SupportMultipleDomain IF you need to support separate/different/distinct UPN namespaces, such as contoso.com & fabrikam.com. You will need to run the above command twice, each time for the different domain namespace with the -SupportMultipleDomain parameter.



Creation & Verification of Multiple Online Domains

Posted on Updated on

For admins who have many custom domains they need to create and verify, they can either use the manual process or you can use PowerShell to get these domains up and running in no time at all:


  1. Open a new Microsoft PowerShell for Online Services command-shell and connect into your Office 365 tenant.  Download here if you don’t have a copy:  http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx#BKMK_DownloadTheMOSIdentityFederationTool
    1. Connect-MSOLService [use Global Admin credentials]
  2. Create a new domains.txt or domains.csv file (your preference) with one column and a list of all your custom domains.
    1. Column: DomainName
  3. Import-Csv .\domains.txt | foreach { New-MsolDomain -Name $_.DomainName }
  4. Once the above process is complete, export the list of DNS records for each unverified domain:
    1. (Get-MsolDomain
      -Status Unverified).Name | foreach { Get-MsolDomainVerificationDns -Mode dnstxtrecord -DomainName $_ } | Select-Object Label, Text | Export-Csv DNS.txt
  5. Create your DNS records for each domain based on the information placed into the DNS.txt file, which will be located in the same folder where you run the above command.
  6. Once all DNS records are in place, you can complete this process by confirming all these PowerShell created unverified domains:
    1. (Get-MsolDomain -Status Unverified).Name | foreach { Confirm-MsolDomain -DomainName $_ }

Note – You can only have 50 unverified domains in your online tenant.  If you have more than 50 domains, you should perform these steps in batches of 50.

Connecting into Office 365 through Outbound Internet Authenticating Proxy

Posted on Updated on

Working in Office 365 with PowerShell gives you the option to manage your Online Tenant in a variety of ways, such as the Microsoft Online Directory Services (MSODS), working with users and security groups and Exchange Online (EXO365) for mailboxes, contacts and distribution groups.  If you are using an Outbound Internet Proxy Server which requires authentication in order to access the internet, you can use the following approach within your PowerShell commands to properly authentication and establish your connect, to either MSODS or EXO365:

PowerShell Example

Set the proxyaccesstype and proxyauthentication to the new-pssession variable and then pass the parameter to the new-pssession for connecting to the tenant. This will configure your PowerShell connection to go through your Oubound Internet Proxy server and provide the needed authentication to access your Online Tenant.

As you can see in the first bullet point, the $proxyOption is pulling your Outbound Internet Proxy settings from your Internet Explorer configuration, citing Basic authentication to be used during the connect.  In order to use the above information, which are commands to connect into Exchange Online 365, you will need to connect via PowerShell to EXO365.  The connection strings are located here:  http://help.outlook.com/en-us/140/cc952755.aspx.  Note that this information showcases the steps needed to establish a connection, while the below is used to introduce additional parameters/variables, allowing you to work with an Outbound Internet Authenticating Proxy.

  • $LiveCred = Get-Credential [enter your GA credentials]
  • $proxyOption = New-PSSessionOption -ProxyAccessType IEConfig -ProxyAuthentication basic;
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $LiveCred -Authentication Basic -AllowRedirection -sessionOption $proxyoption;
  • Import-PSSession $Session

The -sessionOption parameter allows you to then bring in the earlier defined $proxyOption variable to connect to your Oubound Internet Proxy server and pass the needed authentication.  The rest of the commands are specific to connecting to the EXO365 PowerShell endpoint!


In order to use the above information, which are commands to connect into Exchange Online 365, you will first need to establish