UPN mismatch – ImmutableID fix – AADConnect gone wrong

In relation to my very first article, problems can occur. I had a question from a colleague, about a customer, who was using Office 365 and had a local AD. They where not using AADConnect, and would like to do so.

Challenge no.1, how to “match” the AD users with the Office 365 Cloud users? You can see more about how to do that in my first article here.

Matching up the users isn’t the biggest problem, the biggest problem is all the things that can go wrong, and you end up with sync problems, mails about UPN mismatch and so on.

I’ve come across this issue a few times before, and haven’t found one solution to the problem, but gathered information from 3-4 other articles and sites, mixed in a delicious cocktail of my own experience. That’s why I decided to write-up my own solution to the problem.

This is concerning the UPN mismatch, when an AD object has the same UPN and SMTP address as a cloud object. The mistake can happen for various reasons. The one reason I’ve seen the most, is when an AD object has been attempted synchronized, with the wrong UPN suffix (Office 365 will automatically give it the default UPN of user@tenant.onmicrosoft.com. Once you change the UPN to your public domain, locally and sync it, it will throw a UPN mismatch error in a mail to your admin account

error email

 

And also in the portal ☹

error portal

Once this has happened, you will need to do a little bit of work to get the accounts merged.

I assume you are familiar with signing in to Office 365 via Powershell, you’ll need it in a minute 😊, if not, I’ve included the few steps to get going.

You need to have the Office 365 Powershell module and the sign in client. You can download both here

This is the simple logon “script” I use. Logon with your Global Admin credentials to your tenant.

$O365Cred = Get-Credential

Import-Module MSOnline

Connect-MsolService –Credential $O365Cred

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session

 

Next, import the Active Directory CMDLets

Import-Module ActiveDirectory

 

In my lab setup, I have AADConnect installed on a Domain Controller (This is now fully supported by Microsoft btw 😉)

Now, we are ready to go.

First of, if you have set up your AADConnect with OU filtering, your fine, if not, create a new OU, that is NOT synced with your tenant.

  1. Move the user you are having trouble with, to an OU that is not synced. In my case the user is Test User 5 (tu05)
  2. Force a sync
    • Start-ADSyncSyncCycle -PolicyType Delta
  3. Your synced user should now be in the deleted folder in Office 365. You need to delete it from the recycle bin.
    • Remove-MsolUser -UserPrincipalName tu05@omg365.onmicrosoft.com -RemoveFromRecycleBin

deleted user

Next, we need to run a series of Powershell cmdlets, to extract the ObjectGUID from the AD user and change the ImmutableID of Office 365 user with the result.

  1. First of, we need to change the UPN of the cloud user, from tu05@omg365.dk to the tenant domain tu05@omg365.onmicrosoft.com, if you don’t do this, you’ll receive an error, later on, when changing the ImmutableID.
    • Set-MsolUserPrincipalName -UserPrincipalName tu05@omg365.dk -NewUserPrincipalName tu05@omg365.onmicrosoft.com

 

  1. Next, we need to find the ObjectGUID of the AD user, convert it to an ImmutableID, and assign that ID to the Cloud user.
    • $ADUser = “tu05
    • $365User = “tu05@omg365.onmicrosoft.com
    • $guid =(Get-ADUser $ADUser).Objectguid
    • $immutableID=[convert]::ToBase64String($guid.tobytearray())
    • Set-MsolUser -UserPrincipalName “$365User” -ImmutableId $immutableID
  2. Before syncing up, you’ll need to change back the UPN of the cloud object, otherwise, you’ll be in the same problem state as before, but reversed 😉
    • Set-MsolUserPrincipalName -UserPrincipalName tu05@omg365.onmicrosoft.com -NewUserPrincipalName tu05@omg365.dk

So now, we have ”prepared” Office 365 to Hard Match the AD user with the Cloud user, but before we do so, we need to change a few things on the AD user.

Start of by locating the user in the OU that is not synced with O365

  1. Make sure the E-mail is correct on the “General” fan of the user
    • ad user
    • Next, go to “Account” and change the UPN, change it to your public / e-mail domain name
    • upn
    • Lastly, move the user to the original OU, and force a sync (or wait for the magic to happen, New default sync is 30 min.)
    • Start-ADSyncSyncCycle -PolicyType Delta

Be patient, it can take a while for the change to show up.

Before synchronizing

in_cloud

Voila, After synchronizing

synced

Your AD user and your Cloud user have been merged, and everybody is happy 😊

Merging local AD users with Cloud users

 

Office 365 is no ”new kid on the block” anymore, and most companies are running with AADConnect, with or without ADFS. But I still see smaller customers, who have a local AD and an Exchange Online tenant, without any connection. It rarely takes a lot of time to convince them, that managing 2 user accounts, is a lot more work, and usually they are REALLY tired of changing the online password, because users forget! Or perhaps, even worse…. They set the passwords to never expire 2018-02-06_15h55_49

So, is there an easy way to “merge” the two? Yes, but you need to plan it well, and have all the settings of your users correct.

I’ll describe it in the following steps.

I already installed AADConnect, and made sure to use OU filtering, meaning, that I only synchronize certain OU’s to Office 365. In my case, the “Users” OU is synced. The OU “Not synced”, is were my users that I want to sync are located.

AD_OU

In my Office 365 tenant, I have my 3 cloud users (I’m aware that one of them is missing a license, but that doesn’t really matter 😊)cloud users

  1. So, first step is to makes sure that the local users have the correct settings Make sure, that their correct email address is in the “E-mail” fieldAD_user
  2. Next, choose the “Account” tab, and make sure that the users UPN matches your public mail domain added in Office 365correct UPN
  3. If you have a “local” domain (in the old days, it was fairly normal that the AD domain was .local .lan or something not internet routable.) You need to add your SMTP domain as an UPN suffix. Open “Active Directory Domains and Trusts”, takes properties and add the domain.

add upn to adadd upn to ad1

Make sure you make that change to all your users. 😮

  1. Now were ready to start merging users. You might want to test with a made-up user first, but otherwise its just start moving users to the synced OU and run AAD Sync.
    • To force a synchronization you need Powershell, otherwise you have to wait up to 30 min (default sync time)
    • Logon on to your Office 365 tenant with Global Admin rights. Then run the following command
    • Start-ADSyncSyncCycle -PolicyType Delta

 

Wow and behold. Users who, before the change had 2 passwords and 2 user accounts to maintain, can now benefit from all the features of AADConnect 😊

cloud synced users