Tutorial on how to reassign Office 365 account to different user by maintaining existing data
We will create a new AD User called NewID@AventisLab.info to replace an existing user called U001@AventisLab.info who is Synced to Office 365 with the same Email Address in Exchange Hybrid environment by matching thier SourceAnchor / ImmutableId
Existing | New | |
UPN | U001@AventisLab.info | NewID@AventisLab.info |
Email Address | U001@AventisLab.info | U001@AventisLab.info |
SourceAnchor / ImmutableId
The SourceAnchor or Immutableid attribute is defined as an attribute immutable during the lifetime of an object. It uniquely identifies an object as being the same object on-premises and in Azure AD.
The sourceAnchor attribute value cannot be changed after the object has been created in Azure AD and the identity is synchronized.
By default, Azure AD Connect (version 1.1.486.0 and older) uses objectGUID as the sourceAnchor attribute. ObjectGUID is system-generated. You cannot specify its value when creating on-premises AD objects
Azure AD Connect (version 1.1.524.0 and after) now facilitates the use of ms-DS-ConsistencyGuid as sourceAnchor attribute. When using this feature, Azure AD Connect automatically configures the synchronization rules to:
-
Use ms-DS-ConsistencyGuid as the sourceAnchor attribute for User objects. ObjectGUID is used for other object types.
-
For any given on-premises AD User object whose ms-DS-ConsistencyGuid attribute isn’t populated, Azure AD Connect writes its objectGUID value back to the ms-DS-ConsistencyGuid attribute in on-premises Active Directory. After the ms-DS-ConsistencyGuid attribute is populated, Azure AD Connect then exports the object to Azure AD.
Refer to Azure AD Connect: Design concepts for more detail
Create a New User in AD Domain Controller
Create a New OU called LOCAL which is NOT synchronized to Office 365 and a new User called NewID@aventislab.info
New-ADOrganizationalUnit -Name LOCAL
$OU = Get-ADOrganizationalUnit -Filter 'Name -like "LOCAL"' | Select DistinguishedName
$UserName = "NewID"
$Password = "P@ssw0rd!@#$"
New-ADUser -Name $UserName -DisplayName $UserName -UserPrincipalName $UserName'@Aventislab.info' -GivenName $UserName -Surname TEST `
-AccountPassword (ConvertTo-SecureString -AsPlainText $Password -Force) -Path $OU.DistinguishedName `
-SamAccountName $UserName -ChangePasswordAtLogon $false -Enabled $true
Get the ObjectGUID of NewID@aventislab.info
[system.convert]::ToBase64String((Get-Aduser $UserName).objectGUid.ToByteArray())
oMqeHkbSgU+fbhLS5G2i/Q==
Delete the existing user in Office 365
By default, deleted user will be kept for 30 days before the user’s data is permanently deleted.
Move U001@aventislab.info to the new OU called LOCAL
$User = Get-ADUser -Identity U001
Move-ADObject -Identity $User.DistinguishedName -TargetPath $OU.DistinguishedName
Perform Delta Sync in Azure AD Connect Server
#PowerShell for ADSync
Import-Module ADSync
#Perform Delta Sync Only
Start-ADSyncSyncCycle -PolicyType Delta
Verify U001@aventislab.info is in Deleted user
Get-MsolUser -ReturnDeletedUsers
UserPrincipalName DisplayName isLicensed
----------------- ----------- ----------
U001@aventislab.info UAT 001 True
Optional Step – Login with Azure AD Module to verify U001@aventislab.info is NOT DirSynced Users
Refer to Connect using AzureAD Module on how to prepare the AzureAD Module
Get-AzureADUser | Where {$_.DirSyncEnabled -eq $false}
ObjectId DisplayName UserPrincipalName UserType
-------- ----------- ----------------- --------
6423bdd7-1e81-4631-98f4-9a0207afa1e4 UAT 001 U001@aventislab.info Member
Restore the Deleted User
Restore U001@aventislab.info from Deleted Users
Restore-MsolUser -UserPrincipalName u001@aventislab.info
Reassign Office 365 Account to Different User
Replace the ImmutableId of U001@aventislab.info with NewID@aventislab.info
User’s ImmutableId failed to be changed if Domain is Federated
Get-MsolUser -UserPrincipalName U001@aventislab.info | Set-MsolUser -ImmutableId $ID
Set-MsolUser : You must provide a required property: Parameter name: FederatedUser.SourceAnchor
At line:1 char:56
+ ... serPrincipalName U001@aventislab.info | Set-MsolUser -ImmutableId $ID
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException
+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.RequiredPropertyNotSetException,Microsoft.Online.Administration.Automation.SetUser
Get-MsolDomain
Name Status Authentication
---- ------ --------------
M365x594225.onmicrosoft.com Verified Managed
aventislab.info Verified Federated
Change u001@aventislab.info to xxxx.onmicrosoft.com and update It’s ImmutableId
Set-MsolUserPrincipalName -UserPrincipalName u001@aventislab.info -NewUserPrincipalName u001@M365x594225.onmicrosoft.com
Set-MsolUser -UserPrincipalName u001@M365x594225.onmicrosoft.com -ImmutableId $ID
Change it back to original UPN once ImmutableId is set
Set-MsolUserPrincipalName -UserPrincipalName u001@M365x594225.onmicrosoft.com -NewUserPrincipalName u001@aventislab.info
Lastly, delete U001@aventislab.info again
Remove-MsolUser -UserPrincipalName u001@aventislab.info
Remove SMTP & X.500 Address for Existing User
Remove the Email Address (SMTP) & X.500 from u001@aventislab.info in AD as we are going to reassign the same Email Address to NewID@aventislab.info
Create a Remote Mailbox and assign the Email Address of U001@aventislab.info to NewID@aventislab.info if Exchange Hybrid is configured
[PS] C:\>Enable-RemoteMailbox -Identity NewID -DisplayName "New ID" -RemoteRoutingAddress u001@M365x594225.onmicrosoft.com -PrimarySmtpAddress U001@aventislab.info
If Exchange Hybrid is NOT configured, you can add the SMTP:U001@aventislab.info to NewID@aventislab.info using Attributor Editor in Active Directory Users and Computers
Sync New User to Office 365
Move NewID@aventislab.info to the OU where is synced to Office 365 and force Azure AD Connect to perform delta sync
Move-ADObject -Identity (Get-ADUser NewID).DistinguishedName -TargetPath "OU=O365,DC=info,DC=aventislab,DC=info"
# Perform delta sync in AzureAD Connect
Start-ADSyncSyncCycle -PolicyType Delta
Verify NewID@aventislab.info is synced to Office 365 successfully
Get-MsolUser -UserPrincipalName NewID@aventislab.info
UserPrincipalName DisplayName isLicensed
----------------- ----------- ----------
NewID@Aventislab.info NewID True
Verification
Login to Office 365 with the new ID – NewID@aventislab.info to verify
Email Data are maintained and the same email address – u001@aventislab.info is assigned to NewID@aventislab.info now
Data in OneDrive are maintained with the Display Name changed to NewID
Data & History in Microsoft Team are maintained with Display Name changed to NewID