Reactivate AD directory synchronization for an Offce365 account by changing the ImmutableID

by

Problem:

My infrastructure uses directory synchronization between AD and Office 365. Recently an AD user was mistakenly deleted, a new AD account was created and the Office 365 account was recovered however the sync type was “In Cloud” rather than the normal “Synced with Active Directory” as the ImmutableID not longer matched.

Cause:

Directory synchronization uses a unique id to match the AD and Office 365 accounts up, this is called the “ImmutableID”. It is based on the AD accounts ObjectGUID.

When the new AD account was created it had a different ObectGUID so the AD and Office365 accounts no longer had a matching “ImmutableID”.

Resolution:

We are going to find the objectGUID of the new AD account and use PowerShell to change the “ImmutableID” on the recovered Office365 to match the new AD accounts objectGUID.

Finding the new AD accounts ImmutableID

Two ways to do this.

Method 1

Because I had created the new AD account with the same email address as the previous when directory synchronization ran I was getting an “Identity synchronization Error Report” email from MSOnlineServicesTeam. This email actually contains the ImmutableID of the new AD account in the “sourceAnchor” column.

ImmutableID_01

Method 2

  • On a domain controller or a computer with the remote server admin tools open ADSI
  • Find and open the properties for the user.
  • On the “Attribute Editor” tab find and copy the distinguishedName.

ImmutableID_03

  • Run the following command replacing the DN with the one from the previous step;
ldifde -d "CN=Someone,OU=Users,DC=someplace,DC=com" -f c:\User.txt
  • Open the text file you created and copy the user’s ObjectGUID

ImmutableID_04

Changing the Office365 accounts ImmutableID

You will need to run the following on a computer with”Microsoft Online Services Sign-in Assistant for IT Professionals RTW” and
“Windows Azure Active Directory Module for Windows PowerShell” installed.

Checking what the current ImmutableID is

Change the UserPrincipalName to the Office365 username.

Import-Module MSOnline
Connect-MsolService

<<enter your Office365 credentials>>

Get-MsolUser –UserPrincipalName [email protected] | FT name,s

Changing the Office365 users ImmutableID

Change the UserPrincipalName and ImmutableID as needed.

Import-Module MSOnline
Connect-MsolService

<<enter your Office365 credentials>>

Set-MsolUser –UserPrincipalName [email protected] -ImmutableId "TifXxxxxxxxxxxQg=="

Finally run a directory synchronization and after a couple of mins the Office 365 sync type will change to “Synced with Active Directory”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.