Manually link on-premises AD-user to existing Microsoft 365 user

When working with Azure Active Directory Connect (AAD Connect) you may experience issues with account duplicating due to the ImmutableID not matching. Or if you want to give a user a new account in local Active Directory and link the cloud account. A link will again have to be made with the local Active Directory and the cloud account.

By definition, “immutable” means “unable to be changed”, this should give you a warning that this should be handled with care. Active Directory does not have a primary key to identify an object. it does have several attributes which have a value that should never change. One of the best known is the Security Identifier (SID). SIDs are unique to the Active Directory forest, and are assigned only to user and group object, not to contacts of other type of objects. Another attribute that can be labeled as unique is the object guid. GUIDs were initially used by software developers and labeled as being unique across all systems and platforms. For this reason, no GUID will be the same in all Active Directory forests worldwide. To re-establish the link, we will use the GUID and make this known to the cloud account.

In the example, we are going to recreate a locally synced user and link it to the existing cloud account. This process consists of 8 steps:

Step 1
Delete the user account from Active Directory and perform a sync in order to also remove the user from Microsoft 365. The cloud account will move to the Deleted users area in Microsoft 365 admin center in the User section.

Step 2
In Microsoft 365 admin center restore the user from “Deleted Users” area. After the account is restored the user will show up as “in cloud” vs. “synced with Active Directory”

Step 3
Recreate the account in Active Directory. Ensure that you have filled in the Email section and the Proxy Address for Primary mail account via user object properties and Attribute Editor tab.

Step 4
Open the Active Directory user object properties and Attribute Editor tab. Search for Distinguished name and copy the path.
Launch a Command Prompt in Elevated Mode:

ldifde -d "CN=Someone,OU=Users,DC=fakedomain,DC=com" -f c:\Temp\User.txt

Step 5
Open the text file you created in the previous step and search for the ObjectGUID EG: 4WyTAyLmfx3ehSyVaQLSKw==

Step 6
Open PowerShell and update the Cloud users ImmutableID with the ObjectGuid of the AD domain user you copied in Step 5
Launch Powershell in Elevated Mode:

Set-MsolUser –UserPrincipalName someone@fakedomain.com -ImmutableId "4WyTAyLmfx3ehSyVaQLSKw=="

Step 7
In PowerShell check that the new ImmutableID has been applied

Get-MsolUser –UserPrincipalName someone@fakedomain.com | FT name,ImmutableID

Step 8
Start a synchronization and check if the hard linking of the account was successful. The cloud user will again become “synced with Active Directory”

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *