Reassign Office 365 Account to Different User

Leave a Comment / By /

Tutorial on how to reassign Office 365 account to different user by maintaining existing data

We will create a new AD User called [email protected] to replace an existing user called [email protected] who is Synced to Office 365 with the same Email Address in Exchange Hybrid environment by matching thier SourceAnchor / ImmutableId

ExistingNew
UPN[email protected][email protected]
Email Address[email protected][email protected]

SourceAnchor / ImmutableId

The SourceAnchor or Immutableid attribute is defined as an attribute immutable during the lifetime of an object. It uniquely identifies an object as being the same object on-premises and in Azure AD.

The sourceAnchor attribute value cannot be changed after the object has been created in Azure AD and the identity is synchronized.

By default, Azure AD Connect (version 1.1.486.0 and older) uses objectGUID as the sourceAnchor attribute. ObjectGUID is system-generated. You cannot specify its value when creating on-premises AD objects

Azure AD Connect (version 1.1.524.0 and after) now facilitates the use of ms-DS-ConsistencyGuid as sourceAnchor attribute. When using this feature, Azure AD Connect automatically configures the synchronization rules to:

  • Use ms-DS-ConsistencyGuid as the sourceAnchor attribute for User objects. ObjectGUID is used for other object types.

  • For any given on-premises AD User object whose ms-DS-ConsistencyGuid attribute isn’t populated, Azure AD Connect writes its objectGUID value back to the ms-DS-ConsistencyGuid attribute in on-premises Active Directory. After the ms-DS-ConsistencyGuid attribute is populated, Azure AD Connect then exports the object to Azure AD.

Refer to Azure AD Connect: Design concepts for more detail

Create a New User in AD Domain Controller

Create a New OU called LOCAL which is NOT synchronized to Office 365 and a new User called [email protected]

New-ADOrganizationalUnit -Name LOCAL
$OU = Get-ADOrganizationalUnit -Filter 'Name -like "LOCAL"' | Select DistinguishedName

$UserName = "NewID"
$Password = "P@ssw0rd!@#$"

New-ADUser -Name $UserName -DisplayName $UserName -UserPrincipalName $UserName'@Aventislab.info' -GivenName $UserName -Surname TEST `
        -AccountPassword (ConvertTo-SecureString -AsPlainText $Password -Force) -Path $OU.DistinguishedName `
        -SamAccountName $UserName -ChangePasswordAtLogon $false -Enabled $true

Get the ObjectGUID of [email protected]

[system.convert]::ToBase64String((Get-Aduser $UserName).objectGUid.ToByteArray())
oMqeHkbSgU+fbhLS5G2i/Q==

Delete the existing user in Office 365

By default, deleted user will be kept for 30 days before the user’s data is permanently deleted.

Move [email protected] to the new OU called LOCAL

$User = Get-ADUser -Identity U001
Move-ADObject -Identity $User.DistinguishedName -TargetPath $OU.DistinguishedName

Perform Delta Sync in Azure AD Connect Server

#PowerShell for ADSync
Import-Module ADSync

#Perform Delta Sync Only
Start-ADSyncSyncCycle -PolicyType Delta

Verify [email protected] is in Deleted user

Get-MsolUser -ReturnDeletedUsers

UserPrincipalName       DisplayName isLicensed
-----------------       ----------- ----------
   [email protected]    UAT 001     True

Optional Step – Login with Azure AD Module to verify [email protected] is NOT DirSynced Users

Refer to Connect using AzureAD Module on how to prepare the AzureAD Module

Get-AzureADUser | Where {$_.DirSyncEnabled -eq $false}

ObjectId                             DisplayName UserPrincipalName    UserType
--------                             ----------- -----------------    --------
6423bdd7-1e81-4631-98f4-9a0207afa1e4 UAT 001     [email protected] Member

Restore the Deleted User

Restore [email protected] from Deleted Users

Restore-MsolUser -UserPrincipalName [email protected]

Reassign Office 365 Account to Different User

Replace the ImmutableId of [email protected] with [email protected]

User’s ImmutableId failed to be changed if Domain is Federated

Get-MsolUser -UserPrincipalName [email protected] | Set-MsolUser -ImmutableId $ID 
Set-MsolUser : You must provide a required property: Parameter name: FederatedUser.SourceAnchor
At line:1 char:56
+ ... serPrincipalName [email protected] | Set-MsolUser -ImmutableId $ID
+                                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.RequiredPropertyNotSetException,Microsoft.Online.Administration.Automation.SetUser
 
Get-MsolDomain 

Name                             Status   Authentication
----                             ------   --------------
M365x594225.onmicrosoft.com      Verified Managed       
aventislab.info                  Verified Federated

Change [email protected] to xxxx.onmicrosoft.com and update It’s ImmutableId

Set-MsolUserPrincipalName -UserPrincipalName [email protected] -NewUserPrincipalName [email protected]
Set-MsolUser -UserPrincipalName [email protected] -ImmutableId $ID

Change it back to original UPN once ImmutableId is set

Set-MsolUserPrincipalName -UserPrincipalName [email protected] -NewUserPrincipalName [email protected]

Lastly, delete [email protected] again

Remove-MsolUser -UserPrincipalName [email protected]

Remove SMTP & X.500 Address for Existing User

Remove the Email Address (SMTP) & X.500 from [email protected] in AD as we are going to reassign the same Email Address to [email protected]

Reassign Office 365 Account to Different User

Create a Remote Mailbox and assign the Email Address of [email protected] to [email protected] if Exchange Hybrid is configured

[PS] C:\>Enable-RemoteMailbox -Identity NewID -DisplayName "New ID" -RemoteRoutingAddress [email protected] -PrimarySmtpAddress [email protected]

If Exchange Hybrid is NOT configured, you can add the SMTP:[email protected] to [email protected] using Attributor Editor in Active Directory Users and Computers

Sync New User to Office 365

Move [email protected] to the OU where is synced to Office 365 and force Azure AD Connect to perform delta sync

Move-ADObject -Identity (Get-ADUser NewID).DistinguishedName -TargetPath "OU=O365,DC=info,DC=aventislab,DC=info"

# Perform delta sync in AzureAD Connect
Start-ADSyncSyncCycle -PolicyType Delta

Verify [email protected] is synced to Office 365 successfully

 Get-MsolUser -UserPrincipalName [email protected] 

UserPrincipalName     DisplayName isLicensed
-----------------     ----------- ----------
[email protected] NewID       True

Verification

Login to Office 365 with the new ID – [email protected] to verify

Email Data are maintained and the same email address – [email protected] is assigned to [email protected] now

Data in OneDrive are maintained with the Display Name changed to NewID

Data & History in Microsoft Team are maintained with Display Name changed to NewID

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top