Reassign Office 365 Account to Different User

Tutorial on how to reassign Office 365 account to different user by maintaining existing data

We will create a new AD User called NewID@AventisLab.info to replace an existing user called U001@AventisLab.info who is Synced to Office 365 with the same Email Address in Exchange Hybrid environment by matching thier SourceAnchor / ImmutableId

ExistingNew
UPNU001@AventisLab.infoNewID@AventisLab.info
Email AddressU001@AventisLab.infoU001@AventisLab.info

SourceAnchor / ImmutableId

The SourceAnchor or Immutableid attribute is defined as an attribute immutable during the lifetime of an object. It uniquely identifies an object as being the same object on-premises and in Azure AD.

The sourceAnchor attribute value cannot be changed after the object has been created in Azure AD and the identity is synchronized.

By default, Azure AD Connect (version 1.1.486.0 and older) uses objectGUID as the sourceAnchor attribute. ObjectGUID is system-generated. You cannot specify its value when creating on-premises AD objects

Azure AD Connect (version 1.1.524.0 and after) now facilitates the use of ms-DS-ConsistencyGuid as sourceAnchor attribute. When using this feature, Azure AD Connect automatically configures the synchronization rules to:

  • Use ms-DS-ConsistencyGuid as the sourceAnchor attribute for User objects. ObjectGUID is used for other object types.

  • For any given on-premises AD User object whose ms-DS-ConsistencyGuid attribute isn’t populated, Azure AD Connect writes its objectGUID value back to the ms-DS-ConsistencyGuid attribute in on-premises Active Directory. After the ms-DS-ConsistencyGuid attribute is populated, Azure AD Connect then exports the object to Azure AD.

Refer to Azure AD Connect: Design concepts for more detail

Create a New User in AD Domain Controller

Create a New OU called LOCAL which is NOT synchronized to Office 365 and a new User called NewID@aventislab.info

New-ADOrganizationalUnit -Name LOCAL
$OU = Get-ADOrganizationalUnit -Filter 'Name -like "LOCAL"' | Select DistinguishedName

$UserName = "NewID"
$Password = "P@ssw0rd!@#$"

New-ADUser -Name $UserName -DisplayName $UserName -UserPrincipalName $UserName'@Aventislab.info' -GivenName $UserName -Surname TEST `
        -AccountPassword (ConvertTo-SecureString -AsPlainText $Password -Force) -Path $OU.DistinguishedName `
        -SamAccountName $UserName -ChangePasswordAtLogon $false -Enabled $true

Get the ObjectGUID of NewID@aventislab.info

[system.convert]::ToBase64String((Get-Aduser $UserName).objectGUid.ToByteArray())
oMqeHkbSgU+fbhLS5G2i/Q==

Delete the existing user in Office 365

By default, deleted user will be kept for 30 days before the user’s data is permanently deleted.

Move U001@aventislab.info to the new OU called LOCAL

$User = Get-ADUser -Identity U001
Move-ADObject -Identity $User.DistinguishedName -TargetPath $OU.DistinguishedName

Perform Delta Sync in Azure AD Connect Server

#PowerShell for ADSync
Import-Module ADSync

#Perform Delta Sync Only
Start-ADSyncSyncCycle -PolicyType Delta

Verify U001@aventislab.info is in Deleted user

Get-MsolUser -ReturnDeletedUsers

UserPrincipalName       DisplayName isLicensed
-----------------       ----------- ----------
   U001@aventislab.info    UAT 001     True      

Optional Step – Login with Azure AD Module to verify U001@aventislab.info is NOT DirSynced Users

Refer to Connect using AzureAD Module on how to prepare the AzureAD Module

Get-AzureADUser | Where {$_.DirSyncEnabled -eq $false}

ObjectId                             DisplayName UserPrincipalName    UserType
--------                             ----------- -----------------    --------
6423bdd7-1e81-4631-98f4-9a0207afa1e4 UAT 001     U001@aventislab.info Member

Restore the Deleted User

Restore U001@aventislab.info from Deleted Users

Restore-MsolUser -UserPrincipalName u001@aventislab.info 

Reassign Office 365 Account to Different User

Replace the ImmutableId of U001@aventislab.info with NewID@aventislab.info

User’s ImmutableId failed to be changed if Domain is Federated

Get-MsolUser -UserPrincipalName U001@aventislab.info | Set-MsolUser -ImmutableId $ID 
Set-MsolUser : You must provide a required property: Parameter name: FederatedUser.SourceAnchor
At line:1 char:56
+ ... serPrincipalName U001@aventislab.info | Set-MsolUser -ImmutableId $ID
+                                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException
    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.RequiredPropertyNotSetException,Microsoft.Online.Administration.Automation.SetUser
 
Get-MsolDomain 

Name                             Status   Authentication
----                             ------   --------------
M365x594225.onmicrosoft.com      Verified Managed       
aventislab.info                  Verified Federated     

Change u001@aventislab.info to xxxx.onmicrosoft.com and update It’s ImmutableId

Set-MsolUserPrincipalName -UserPrincipalName u001@aventislab.info -NewUserPrincipalName u001@M365x594225.onmicrosoft.com
Set-MsolUser -UserPrincipalName u001@M365x594225.onmicrosoft.com -ImmutableId $ID

Change it back to original UPN once ImmutableId is set

Set-MsolUserPrincipalName -UserPrincipalName u001@M365x594225.onmicrosoft.com -NewUserPrincipalName u001@aventislab.info 

Lastly, delete U001@aventislab.info again

Remove-MsolUser -UserPrincipalName u001@aventislab.info

Remove SMTP & X.500 Address for Existing User

Remove the Email Address (SMTP) & X.500 from u001@aventislab.info in AD as we are going to reassign the same Email Address to NewID@aventislab.info

Reassign Office 365 Account to Different User

Create a Remote Mailbox and assign the Email Address of U001@aventislab.info to NewID@aventislab.info if Exchange Hybrid is configured

[PS] C:\>Enable-RemoteMailbox -Identity NewID -DisplayName "New ID" -RemoteRoutingAddress u001@M365x594225.onmicrosoft.com -PrimarySmtpAddress U001@aventislab.info

If Exchange Hybrid is NOT configured, you can add the SMTP:U001@aventislab.info to NewID@aventislab.info using Attributor Editor in Active Directory Users and Computers

Sync New User to Office 365

Move NewID@aventislab.info to the OU where is synced to Office 365 and force Azure AD Connect to perform delta sync

Move-ADObject -Identity (Get-ADUser NewID).DistinguishedName -TargetPath "OU=O365,DC=info,DC=aventislab,DC=info"

# Perform delta sync in AzureAD Connect
Start-ADSyncSyncCycle -PolicyType Delta

Verify NewID@aventislab.info is synced to Office 365 successfully

 Get-MsolUser -UserPrincipalName NewID@aventislab.info 

UserPrincipalName     DisplayName isLicensed
-----------------     ----------- ----------
NewID@Aventislab.info NewID       True      

Verification

Login to Office 365 with the new ID – NewID@aventislab.info to verify

Email Data are maintained and the same email address – u001@aventislab.info is assigned to NewID@aventislab.info now

Data in OneDrive are maintained with the Display Name changed to NewID

Data & History in Microsoft Team are maintained with Display Name changed to NewID

Leave a Comment

Your email address will not be published. Required fields are marked *